Protecting 


Robert  Oatman 
rewrites  the 
book 

PAGE  26 


Securing 

Source 

How  to  use 
code  analysis 
tools 

PAGE  18 


fi.EEE 

InTf 

: 

&.  •  %-■•'•>  •  ■3 

v®.  ■•••- 

University  of  Indianapolis 
Hacked:  1  IK  Student, 
^Faculty,  Staff  records  stolen 


mmxm 


*  ■  *  ■ 

MlUiUnif  SB  nil 

HHIWtHH  8  BOB  ft  It  I 

DIHI  12  R  E*  «  ft  i? 
obhic  t  a  it  h  i|  n  i,  g 

luatn  uriaimii 
a, ami  , 


Trojan  horse  captures  data 
on  2,300  Oregon  taxpayers 


Credit  Card 
Numbers  Stolei 
from  TJX 


HOTEL  CHAIN  FALLS  VICTIM 
\  TO  14,000  DATA-STEALING 
I  MALWARE  INCIDENTS 


$  Millions  of  U.S.  custc 
.^^nfocmed  today  that  i 
ErJBjeir  credit  card  nun 


98,930  Affected  In 
Forever  21  Data  Breach 


THINK  THE  NEXT  GENERATION  OF  MALWARE 
doesn't  have  a  headline  waiting  for  you? 


Data-stealing  malware  is  smarter,  faster  and  more  advanced  than  ever.  It's  infiltrating  the  most  secure  enterprises 
and  yours  could  be  next.  But  with  Trend  Micro™  Enterprise  Security,  powered  by  the  Trend  Micro  Smart  Protection 
Network,  you'll  be  ready.  This  unique  combination  of  solutions  and  services  is  the  next-generation,  cloud-client 
security  infrastructure  that  blocks  the  most  sophisticated  threats-before  they  reach  your  network.  Download 
our  eBook  and  learn  how  easily  Web  threats  like  data-stealing  malware  can  evade  your  current  security  solution 
and  what  you  can  do  about  it. 


Download  our  Outthink  the  Threat  eBook  and  register  for  a  free, 
onsite  risk  assessment  now  at  trendmicro.com/thinkagain. 
Or  contact  us  for  more  information  at  877-21-TREND  EXT.  54 


TREND 

micro" 


Securing  Your  Web  World 


iTiMiiftHlEIfli 

1  ^ 1  uflifel 

i  ■  ■Mil 

February  2009  Vol.8,  No.  1 


Features... 

22  Same  Threats, 
Smaller  Budget 

Cover  Story  |  Budgets 

Small  businesses  have  to  be  crafty 
to  handle  security  with  fewer 
resources.  Here  are  bright  ideas 
for  SMBs. 

By  Lauren  Gibbons  Paul 

26  Nothing  Left  to 
Chance 

Executive  Protection  The 

presidential  inauguration  and 
roiling  anticorporate  sentiment 
put  executive  protection  in  the 
spotlight.  Expert  Robert  Oatman 
explains  the  elements  of  a  good 
program,  the  impact  of  technol¬ 
ogy  and  more. 

By  Joan  Goodchild 


Also  Inside... 


2  From  the  Editor 
4  From  the  Publisher 

6  Join  the  Discussion 

CSOonline  readers  debate  a 
new  data  protection  law,  real¬ 
izing  a  more  secure  business 
environment  and  predictions 
for  2009. 

9  Briefing 

■  Three  global  risks  to 
business  in  2009 

■  Four  questions  on  - 
Google  app  security 

■  With  Gaza  conflict, 
cyberattacks  come,  too 

■  DHS  and  cybersecurity: 
Yes,  no,  maybe  so? 

■  Security  wisdom  watch 

■  Three  ways  a  Twitter 
hack  can  hurt  you 

■  Five  ways  to  secure 
your  BlackBerry 


18  Toolbox 

Secure  Code  Analysis 
Tools  Attacks  have  shifted 
from  the  perimeter  to  the 
application  layer.  These  tools 
help  write  clean,  secure 
applications.  By  Mary  Brandel 

30  Undercover 
The  Company  that  Did 
Everything  Wrong  A 

comical,  yet  sad  visit  to  one 
company  that  had  suffered 
a  data  breach  (Part  1). 

34  Industry  View 
Outsourcing/Offshoring: 
An  Information  Security 
Practitioner’s  View  The 

four  stages  of  the  outsourcing 
lifecycle.  By  Simone  Seth 

36  Debriefing 

Watching  the  detectives 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.0.  Box  9208,  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA01701,  and  at  additional  mailingoffices.  Canadian  Publications  Mail  agreementnumber  1902075.Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.Box  1632,  Windsor,  ON  N9A7C9.Copyright2008  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  orthe  internal  or  personal  use  of  specificclients  isgranted 
by  CSOforusersthroughtheCopyright  Clearance  Center,  providedthatafeeof  $3.50  per  copyoftheartide  is  paid  directly  toCopyright  Clearance  Center.222  Rosewood  Drive,  Danvers,  MA  01970.  www.awr/g/if.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  tocontributed  articles— followed  bythissymbohJ.AddressinquiriestoCSO.P.O.  Box  3482,  Northbrook,  IL60065;  866  354-1125.  CSOisfreetoqualified  security  executives. 
Toall  others  theone-year  basic  rate  is  $70  forthe  United  States  and  Canada.  $95  to  foreign  countries  (payable  in  U.S.fundsonly).  The  single  copy  price  is  $9to  the  U.S.  and  Canada  and  $15  International.  Please  allowfourtosixweeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  Illustration  by  John  MacDonald 


February  2009  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Compliance 

Complaints 

I  DC,  a  sister  company  to  CSO,  predicts  that 
IT  security  spending  will  still  grow  by  nearly 
10  percent  in  2009,  and  even  faster  in  2010. 
They  characterize  security  as  “the  least 
likely  area  [in  IT]  to  face  cuts  in  response  to  the 
current  economic  crisis. 

And  we  all  know  the  main  reason:  regula¬ 
tory  compliance. 

It  would  be  fun  to  tell  ourselves  that  years 
of  awareness  training  and  our  evermore- 
sophisticated  security  metrics  had  gotten  trac¬ 
tion  at  last.  But  it’s  the  law’s  long  arm  that  is 
goading  companies  to  keep  their  wallets  open 
for  security  in  this  dreadful  financial  season. 

California  SB1386  may  be  the  single  most 
effective  piece  of  legislation  in  this  battle;  that 
law  (along  with  the  versions  it  spawned  in 
other  states)  hits  CEOs  right  where  it  hurts,  in 
the,  “Don’t  show  upon  the  front  page  of  the 
Wall  Street  Journal"  part  of  their  anatomy.  But 
in  terms  of  influence,  the  requirements  of  PCI- 
D5S,  the  Payment  Card  Industry’s  Data  Secu¬ 
rity  Standard  (do  I  really  have  to  keep  spelling 
it  out?)  are  surely  breathing  the  same  rare  air. 
PCI  is,  of  course,  not  a  government  regulation, 
but  an  industry  attempt  at  self-regulation. 

Now,  the  new  year  kicks  off  with  a  disclo¬ 
sure  from  Heartland  Payment  Systems  of  a 
data  breach  that  may  be  the  largest  on  record, 
surpassing  the  dubious  record  set  by  TJX 
Companies  (more  than  100  million  accounts 
affected,  according  to  data  on  privacyrights 
.org).  Heartland  processes  more  than  100 
million  card  transactions  every  month,  and 
the  breach  apparently  went  undetected  for 
several  months. 

A  huge  breach  so  close  to  the  core  of  the 
credit  card  industry-that’s  disheartening.  A  bit 
of  security  industry  self-reflection  followed,  as 
reflected  by  articles,  blog  posts,  Twitter  discus¬ 
sions,  et  cetera,  all  chewing  over  the  question: 


Does  PCI  work? 

Some  say  the  hack  exposes  PCI  as  irrel¬ 
evant.  Others  retort  that  they’ve  never  seen  a 
breach  at  a  company  that  really  was  compliant. 

Does  PCI  work? 

Silly  question. 

As  BT  security  consultant  Ben  Rothke  said 
to  me,  it’s  a  little  bit  like  looking  at  crowded 
prisons  and  concluding  that  we  shouldn’t  have 
laws  about  violent  crime  because  they  don’t 
prevent  all  violent  crime. 

PCI  needs  improvement?  The  PCI  audit 
process  isn’t  perfect?  PCI  compliance  doesn’t 
prevent  all  cybercrime?  Well,  color  me 
“shocked,  frankly,  shocked,"  like  Claude  Rains 
in  Casablanca.  Everybody  in  the  security  field 
knows  that  regulatory  compliance-or  ISO 
guideline  compliance,  or  compliance  with 


anything-doesn’t  take  all  the  risk  out  of 
business.  You  have  to  keep  evaluating  and 
improving  every  aspect  of  security.  Threats 
evolve,  so  defenses  must  evolve,  standards 
must  evolve,  legislation  must  evolve,  individu¬ 
als  must  evolve. 

So  while  the  payment  card  industry  sifts 
through  the  rubble  at  Heartland  and  considers 
how  the  DSS  has  to  be  strengthened,  let’s  also 
keep  on  improving  awareness  training  and 
working  on  evermore-sophisticated  security 
metrics.  PCI  is  a  good  thing.  Actually,  it’s  a 
great  thing.  But  it’s  just  one  piece  of  the  puzzle. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Kristin  Burnham 
Editorial  Administrator 
Simone  Levien 
Contributors 

Mary  Brandel,  Jarina  D’Auria, 
Robert  McMillan,  Lauren  Gibbons  Paul, 
Simone  Seth 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

CXO'  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


irBPA 


WORLDWIDE' 


2  www.csoonline.com  February  2009 


Photo  by  Webb  Chappell 


Market  conditions  hurt 
revenue  growth 


Present 


+  Budgets  tighten 
across  the  board 


Engage  Lumension  for 
security  solution 

Reduce  IT  and  security  TCO 


Data  and  network  protected 
Meet  industry  compliance  audit 


Future 


Positioned  for  economic  turnaround 


Past 


Company  goes  public 


Upgrade  network  and 
backup  storage 

Hire  new  IT  Director 
and  Compliance  Director 


Expand  operations 


Reduce  Risk.  Not  Revenue. 


30T 


-  ********* 


Download  our  white  paper  on  Reducing  Security  TCO  at 

www.lumension.com/security-tip-21 

1.888.725.7828 


Vulnerability  Management  |  Endpoint  Protection  |  Data  Protection  |  Reporting  and  Compliance 


Lumension 

IT  Secured.  Success  Optimized. 


[  FROM  THE  PUBLISHER  ] 


My  Hope 

Politically,  it  seems  to  be  a  time  to  be  full 
of  hope.  Despite  the  slumping  economy 
and  the  challenges  that  lie  before  us, 
hope  takes  on  two  forms  for  me  this  year: 
First,  I  hope  that  the  new  administration 
in  Washington,  D.C.,  can  realize  more  success 
in  controlling  cyber  threats  than  the  past 
administration  did.  Don’t  get  me  wrong,  I’ll 
be  the  last  to  take  shots  at  the  Bush  adminis¬ 
tration’s  attempts  to  secure  cyberspace  and 
the  critical  infrastructure.  I  think  that  what 
they  accomplished,  in  a  time  of  challenging 
expectations  and  priorities,  was  remarkable. 
It’s  easy  to  play  Monday  morning  quarterback 
and  shoot  holes  in  every  initiative.  Sure,  I 
think  that  we’ve  spent  too  much  time  trying 
to  make  cybersecurity,  under  DHS,  work 
effectively.  Sure,  I  think  part  of  the  problem 
was  that  cybersecurity  was  a  hot  potato  that 
paled  in  comparison  to  the  risks  from  a  dirty 
bomb  or  other  such  terrorist  attacks.  Part  of 
the  problem  is  the  pace  at  which  government 
works.  That’s  why  I  am  encouraged  by  the  CSIS 
Commission  report,  “Securing  Cyberspace 
for  the  44th  President.”  It  outlines  what  I 
believe  to  be  a  viable  and  effective  path  for  us 
to  follow  to  address  cybersecurity.  That’s  my 
first  hope. 

My  second  hope  is  that  the  new  adminis¬ 
tration  won’t  screw  things  up  too  badly.  We’ve 
all  seen  from  experience  the  kind  of  hole 
that  cyber  issues  can  fall  into.  It  is  a  difficult 
challenge  that  requires  a  strategy,  leadership 
and  executive  buy-in.  Over  the  years  we’ve 
learned  that  organizations  that  have  executive 
leadership  for  security  (a  CSO  or  CISO)  are 
more  likely  to  have  a  security  strategy  in  place 
and,  as  a  result,  suffer  fewer  security  incidents. 


They  also  have  buy-in  from  the  executive  level 
of  their  organization.  In  this  case,  that  buy-in 
would  come  from  the  president  and  would  flow 
from  his  office  down  throughout  the  govern¬ 
ment.  All  the  best  intentions  won’t  be  worth 
a  dime  if  this  isn’t  viewed  as  a  priority  by  the 
Oval  Office.  These  days,  the  Oval  Office  has  a 
lot  of  priorities;  it’s  all  going  to  come  down  to 
where  this  one  sits  in  the  pecking  order. 


Much  like  in  Robert  Frost’s  poem,  our 
nation,  too,  sits  at  a  divergence  of  two  roads. 
One  road  is  well  traveled  and  follows  a  path 
that,  while  it  has  protected  us  against  a  cyber 
D-day  and  secured  our  critical  infrastructure, 
has  not  really  left  us  as  secure  as  we  know 
we  should  be.  The  other  road,  the  one  less 
traveled,  may  have  great  promise  but  we  don’t 
know  where  it  leads.  We  can  only  hope  that  the 
new  administration’s  choice  will  make  us  more 
secure  in  the  end. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


CA . C4 

CXO  Media  Inc.  . . 19, 31,  C3 

Fortify  Software . 13 


Gemalto . ll 

HIDCorp . 5 

ISACA . 8 

Lumension  Security . 3 


RSA  Conference  2009  .  33 

RSA  Security . 15, 17 

Trend  Micro . C2 


Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 

Roz  Burke 

Regional  Sales  Manager  Matt  Knuth 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Tara  Shea 
Online  Advertising  Specialist 
Barbara  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 

Deb  Begreen 

Editorial  Director  Maryfran  Johnson 
National  Sales  Manager 

Per  Melker 

Eastern  Regional  Sales  Manager 
Sarah  Moon 
Sales  Associate 
Lauren  Costello 
Event  Planner  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O'Brien 
Marketing  Specialist  Kristin  Gallo 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcapone@iidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
cso@theygsgroup.com 


4  www.csoonline.com  February  2009 


Photo  by  Christopher  Navin 


If  they  ask 
what  else 
the  network 
can  do, 

show  them 
the  door 


HID  Global,  the  world  leader  in  access  control, 
brings  you  EDGE" IP-based  solutions,  an  efficient 
and  trouble-free  way  to  extend  the  network 
to  your  company’s  doors. 


HID’s  EDGE  access  control  solutions  are  designed  to  fully  leverage  your 
company’s  IT  infrastructure,  eliminating  controllers,  and  connecting 
easily  with  a  network  cable  to  each  door.  Easy  to  install  and  manage, 
EDGE  creates  tangible  cost  savings,  while  using  very  little  bandwidth. 
Plus,  you  can  count  on  the  security,  reliability  and  support  of  the  number 
one  name  in  physical  access  control.  EDGE  from  HID.  It’s  an  easy  way  to 
show  what  else  your  network  can  do  -  just  bring  intelligence  to  the  door. 


* 


ACCESS  intelligence. 


What’s  on  vour  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


COMPLIANCE 

Want  Some 
Cheese  With 
That? 


Businesses  protest  new 
Massachusetts  data  protection  law; 
Jeff  Bardin  has  a  message  for  them 


The  Associated  Press  recently 
reported  in  Massachusetts 
newspapers  that  new  security 
and  identity  theft  rules  are 
being  protested,  mostly  by  the 
attorneys  representing  businesses  and  the 
Retailers  Association  of  Massachusetts. 

They  claim  that  jobs  will  be  lost  (they 
could  hide  them  in  this  economy  and  since 
we  are  losing  so  many  now  anyway,  who 


would  notice  a  few  more?)  and  that  states 
should  not  be  creating  laws  for  this  since 
the  data  flows  across  state  lines  (based  on 
what  I  have  seen,  it  flows  wherever  it  wants 
to  with  impunity  and  without  controls.  In 
addition,  the  federal  government  has  done 
nothing  for  the  past  eight  years  to  address 
this  issue,  so  states  must  take  some  action 
to  protect  our  information  since  retailers 
don’t  give  a  rat’s  you-know-what  about 
addressing  the  issues). 

They  are  belly-aching  about  a  one- 
size-fits-all  approach.  The  Massachusetts 
Business  Roundtable  says  that  “everyone 
naturally  wants  to  make  sure  there  is  pri¬ 
vacy  for  the  people  they  do  business  with, 
but  there  needs  to  be  enough  flexibility 
to  meet  their  own  idiosyncrasies  of  their 
businesses.” 

I  know  of  folks  who  don’t  really  care 
about  privacy,  only  giving  it  lip  service  or 
the  “illusion  of  due  diligence.” 

This  has  been  going  on  for  years  and 
our  data  is  still  flowing  anywhere  it  wishes 
without  protection.  Laptops  are  still  not 
secured  or  encrypted  even  though  there 
are  free  tools  available.  These  organizations 
are  complaining  about  something  that  they 
should  have  done  years  ago,  and  now  want 
another  year  to  get  it  in  place.  Heck,  the 
Massachusetts  law  doesn’t  even  have  any 
teeth  in  it,  and  yet  they  are  whining.  Have 
their  heads  been  in  the  sand  all  these  years? 

Look,  if  my  credit  card  or  PII  is  elec¬ 
tronically  (or  physically)  in  your  hands, 
regardless  of  your  business,  and  you  are 
authorized  to  have  it,  protect  the  damn 
data  and  quit  your  quibbling.  You  have  had 
years  to  address  this  issue,  and  based  upon 
the  level  of  whining,  done  nothing.  There 
are  open-source  tools  available,  so  don’t 
complain  about  the  cost  and  don’t  talk 


about  technical  issues  of  which  you  have 
no  clue. 

My  wall  of  shame  at  home  that  includes 
seven  letters  from  six  different  organiza¬ 
tions  represents  the  number  of  times  (that 
I  know  about)  my  PII  has  been  lost  and/or 
disclosed.  So,  if  I  were  [Massachusetts  Gov¬ 
ernor]  Deval  Patrick,  I  would  not  modify 
the  dates  anymore.  Pony  up  boys,  it  is  time 
to  protect  your  customers’  data! 

-JeffBardin 

METRICS 

The  Key  to 
Communica¬ 
tion?  Balance! 

David  Kelleher’s  ‘To  Things 
that  WON’T  Happen  in 
2009”  ( www.csoonline.com/ 
article/475322)  is  an  insight¬ 
ful  discussion  of  security 
issues  that,  against  all  efforts,  seems  to  visit 
us  with  each  coming  year.  This  blog  series 
will  explore  what  we  can  do  to  realize  a  more 
secure  business  environment  in  2009. 

In  spite  of  serious  security  breaches 
in  2008,  Mr.  Kelleher  states  that  organiza¬ 
tions  will  continue  to  view  security  as  an 
afterthought  rather  than  a  critical  business 
consideration.  I  agree  that  a  business  that 
does  not  see  the  value  proposition  in  secu¬ 
rity  investments  is  less  likely  to  make  such 
investments.  In  order  to  raise  information 
security  as  an  agenda  item  to  a  board  of 
directors,  we  must  make  a  business  case 
for  it. 

In  “a  common-sense  way,  to  make 
the  business  case  for  software  assurance” 


6  www.csoonline.com  February  2009 


Photo  by  iStockphoto.com 


>>  DISCUSSION 


(available  on  Informaworld.com),  several 
models  for  the  communication  of  security 
investments  are  presented.  Among  them  is 
the  balanced  scorecard.  This  model  exam¬ 
ines  the  organization  through  the  use  of 
four  metric  perspectives: 

■  Financial 

■  Internal  business  processes 

■  Learning  and  growth 

■  Customer 

The  Financial  metric  requires  accu¬ 
rate  and  timely  information  about  the  fis¬ 
cal  health  of  the  company.  This  includes 
data  on  assets,  liabilities  and  risks.  All 
investments  boil  down  to  an  analysis  of 
this  metric.  Thus,  the  financial  impact  of  a 
security  solution  must  be  communicated 
appropriately. 

The  Business  Process  metric  allows 
executives  to  ensure  that  processes  are 
meeting  business  requirements.  This  met¬ 
ric  is  a  powerful  driver  for  change  in  busi¬ 
ness  strategy.  Rather  than  struggle  with 
existing  processes  and  culture,  security 
professionals  must  strive  to  design  solu¬ 
tions  that  leverage  these  elements.  While 
change  is  sometime  required,  this  change 
must  be  fostered  by  the  leadership  in  order 
to  be  successful. 

The  “learning  and  growth”  metric  exam¬ 
ines  attitudes  toward  corporate  and  self 
improvement.  Learning  extends  beyond 
the  immediate  enhancement  of  knowl¬ 
edge.  If  inculcated  into  the  business,  it  can 
change  the  way  the  business  competes  for 
the  better.  Given  the  value  of  intellectual 
capital,  security  proposals  must  highlight 
the  educational  enrichment  they  have  to 
offer.  A  workforce  that  understands  how  to 
counter  the  risks  faced  by  the  organization 
adds  greater  value  to  the  bottom  line. 

Lastly,  the  “customer”  metric  is  an  indi- 

MORE  ON  THE  WEB 


cator  of  market  satisfaction  in  the  products 
and  services  offered  by  the  business.  This 
metric  includes  the  reputation  of  the  orga¬ 
nization.  Security  professionals  must  show 
how  their  proposals  will  enhance  customer 
satisfaction.  The  must  also  show  how  the 
business  can  enhance  its  value  proposition 
via  security  investments. 

If  information  security  professionals 
discuss  security  within  this  framework, 
they  can  communicate  the  business  value 
of  a  given  set  of  solutions.  By  speaking  the 
language  of  business,  they  can  get  the  atten¬ 
tion  of  those  in  control  of  the  budget. 

-Steve  Fox 

PREDICTIONS 

Best  Predic¬ 
tions  for  2009 

Predictions— everyone  seems  to 
have  them.  I  wanted  to  summa¬ 
rize  the  best  of  what  I’ve  seen  as 
well  as  contribute  my  opinions 
to  the  many  2009  security  lists 
floating  around  in  cyberspace. 

A  Google  search  on  “2009  security  pre¬ 
dictions”  yields  millions  of  results.  Start¬ 
ing  at  the  top,  SANS  usually  offers  good 
insights,  so  here’s  their  list  of  top  predic¬ 
tions,  which  was  updated  on  January  9: 
www.sans.edu/resources/securitylab/2009_ 
predictions.php.  I  didn’t  see  too  many  “way 
out  there”  statements,  and  some  of  these 
predictions  already  came  true  in  2008, 
such  as  David  Hoelzer’s:  “I  predict  that  in 
2009,  a  major  corporation  who  is  fully  PCI/ 
DSS  compliant  will  experience  a  major  data 
breach,  proving  the  point  that  ‘compliant’  is 
not  the  same  as  ‘secure.’ 

A  Georgia  Tech  Infor¬ 
mation  Security  Center 
report  entitled,  “Emerging 
Cyber  Threats  Report  for 
2009,”  is  subtitled,  “Data 
Mobility  and  Questions 
of  Responsibility  Will 
Drive  Cyber  Threats  in 
2009  and  Beyond”  (www. 
computerworld.  com/action/ 
article. do?command=vi 
ewArticleBasic&articJel 
d=9l2462i).  Although  there 
were  no  major  surprises, 


Social  Engineering, 
Deconstructed 

Need  help  keeping  employees  security- 
aware?  Find,  “Social  Engineering:  Eight 
Common  Tactics”  and  other  articles  to 
help  at  www.csoonline.com/topic/43411/ 
Awareness. 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 

Joan  Goodchild,  Senior  Editor 

jgoodchild@cxo.com 

508  988-7994 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com. 


the  report  listed  the  following  five  emerging 
threats  as  the  greatest  challenges  in  the  year 
ahead:  “Malware,  botnets,  cyber  warfare, 
threats  to  VoIP  and  mobile  devices  and  the 
evolving  cybercrime  economy.” 

Network  World's  Andreas  M.  Antonopo- 
ulos  lists  his  security  predictions  for  2009, 
which  includes:  “Regulatory  compliance 
will  be  back  with  a  vengeance.”  I  agree  with 
him  on  the  list,  but  again  there  are  no  “wow” 
statements  or  big  surprises  here. 

Finally,  I  like  the  slideshow  of  predic¬ 
tions  offered  at  Channel  Web.  This  list  is  by 
far  the  most  original  and  creative. 

And  the  winner  is...  Channel  Web.  No 
doubt  the  economy  and  tough  times  will 
impact  security  in  unknown  ways,  but  will 
dominate  the  back  office  of  security. 

-Dan  Lorhmann 


February  2009  www.csoonline.com  7 


*t  S; 


1  "MMUIMUM 


Exam  Registration  Deadline:  8  April  2009 


Will 


Exam  Date:  13  June  2009 


J.CETP 


CSM 


TM 


Certified  in  the  Governance 
of  Enterprise  IT™ 


C^mHED  Information  Systfms  Auditor 


CERTIFIED  INFORMATION 
SECURITY  MANAGER' 


ISACA 


Visit  www.isaca.org/csomag. 


■Serving  IT  Governance  Professionals 


“You  wouldn't  shop  online  and  check  your  bank  account  on  your  PC  without 
firewalls ...  So,  why  areyou  doing  it  with  your  BlackBerry?”  page  1 6 


Edited  by  Bill  Brenner 


With  financial  and  political  volatility  all 
over  the  world,  what  challenges  pose 
the  biggest  risk  to  business  in  2009? 
Anyone  who  reads  the  headlines 
these  days  knows  that  the  world  is  an  uncer¬ 
tain  place.  And  2009  will  be  a  year  that  brings 
even  more  changes  and  uncertainty,  according 
Control  Risks,  an  independent,  specialist  risk 
consultancy. 

The  company  recently  released  its  2009 
annual  forecast  of  the  global,  political  and 
security  risk  environment.  Control  Risks  Ana¬ 
lyst  and  author  Daniel  Linsker  spoke  with  C50 
about  some  of  the  highlights  that  businesses 
need  to  consider  before  investing. 

The  financial  crisis,  while  Asia  at  one 
point  was  thought  to  see  little  impact  from  the 
financial  crisis,  it  now  appears  it  will  not  be 
immune.  That  applies  to  countries  across  the 
world,  Linsker  says.  But  the  impact  of  the 
crisis  is  not  so  much  dependent 
on  the  exposure  of  a  country  as 
it  is  on  its  specific  capability  to 
address  the  risks  and  challenges 
of  the  crisis. 

“A  lot  of  attention  was  placed 
on  Russia  and  Venezuela-large 
oil-producing  countries,”  he  says.  “Those 
countries  will  face  problems,  but  they  don’t 
run  the  risk  of  collapse.  The  capacity  of  those 
governments  to  react  is  quite  large.  On  the 
other  hand,  you  might  have  countries  that 
wouldn’t  expect  to  be  troubled-for  example 


The  Ukraine  or  Poland.” 

These  are  countries  that  were  competing 
favorably  and  were  good  investment  destina¬ 
tions.  But  suddenly  there  is  a  downturn,  and 
the  countries’  stability  is  being  brought  into 
question. 

Scarcity.  The  report  indicates  that 
scarcity  will  be  a  major  risk  factor  for  global 
business  in  2009.  The  first  point  and  perhaps 
the  more  superficial,  Linsker  says,  is  that  the 
sudden  decline  in  worldwide  commodity  prices 
might  just  be  temporary.  There  is  a  financial 
crisis,  so  the  global  slowdown  has  lifted  a  lot 
of  the  pressure  on  commodities,  he  says. 

But  basically  the  underlyingfun- 
damentals  of  scarcity  are  there. 

Even  when  the  global 
economy  starts  speeding  up 
again,  you  will  get  a  renewed 
sense  of  urgency  in  terms  of  find¬ 
ing  the  resources  and  getting  them 
to  market,  he  says. 

“Scarcity  will  probably  be  one  of  the 
main  strategic  challenges  for  business  going 
forward-not  only  in  2009  but  beyond,”  he 
says.  “It  affects  everything  from  your  supply 
chain  to  your  capacity  to  operate.” 


If  you  are  operating  in  certain  parts  of 
the  world-some  countries  in  Africa  or  Latin 
America,  for  instance-you  will  experience 
electricity  shortages,  he  says,  adding,  “That  is 
a  complete  no-no.  You  won’t  be  able  to  oper¬ 
ate  what  you  need  to  operate  without  power.” 

Kidnapping  and  piracy.  Kidnapping 
is  a  very  good  example  of  the  changes  in  pat¬ 
terns  of  crime,  Linsker  says. 

What  we  are  seeing,  to  some  extent,  is  a 
globalization  of  crime. 

“What  you  see  in  Mexico,  and  to  some 
extent  in  Venezuela  and  Ecuador,  is  very  simi¬ 
lar  to  what  you  saw  in  Colombia  when  Colom¬ 
bia  was  going  through  its  drug  wars,”  he  says. 
“The  police  were  quite  weak,  and  there  was 
an  easy  state  to  exploit.  They  have  copied  the 
technique.  Criminal  gangs  realized  there  was 
a  lot  of  money  to  be  made  from  kidnapping. 
They’ve  realized  they  can  exploit  weaknesses 
in  systems  and  protection  of  personnel  and 
they’ve  gone  for  it.” 

The  challenge  for  companies  is  going  to  be 
translating  the  lessons  from  these  countries  to 
places  like  India  and  Nigeria,  where  kidnap¬ 
pings  are  frequent,  he  says. 

-Joan  Goodchild 


Three  Global 
Risks  to 
Business 
in  2009 


February  2009  www.csoonline.com  9 


>>  BRIEFING 


r 


A 

A 


I 


Q&A 


FOUR 
QUESTIONS 
ON  GOOGLE 
APP 

SECURITY 


Need  proof  that  the  computing  world  is 
dominated  by  applications  engineered 
by  search  giant  Google?  Just  stare  into 
your  laptop.  The  Web-wandering  public 
has  increasingly  forsaken  Microsoft  Outlook 
and  Lotus  Notes  in  favor  of  Gmail  as  their 
e-mail  program  of  choice.  Companies  that  sell 
software  to  measure  website  performance 
have  a  tough  competitor  in  Google  Analytics. 
And  the  list  goes  on.  This  makes  the  Google 
universe  a  tempting  target  for  those  who 


would  exploit  application  security  holes  to 
infect  computers  with  malware,  steal  credit 
card  and  Social  Security  numbers  and  make 
off  with  a  company’s  intellectual  property.  In 
this  Q&A,  Eran  Feigenbaum,  senior  security 
manager  for  Google  Apps,  and  Adam  Swidler, 
product  marketing  manager  for  Google  Apps, 
explain  the  steps  Google  has  taken  to  defend 
their  users  against  online  evil. 

There's  been  some  debate  over 
whether  it's  truly  possible  to  have 
secure  cloud  computing.  What's  the 
Google  argument  in  favor  of  it? 
Eran  Feigenbaum:  We  see 
tremendous  security  issues  with 
the  traditional  client-side  server: 
misconfiguration,  missing 
patches,  having  things  turned  on 
you  didn’t  know  you  had  turned 
on,  and  so  on.  Then  there’s  the 
complexity  of  running  multiple 
versions  of  different  applications  on 
the  network. 

It  all  becomes  very  difficult  to 

secure. 

Talk  about  what  Google  has  done  to 
learn  from  those  problems. 

Feigenbaum:  With  cloud  computing,  and 
specifically  Google  apps,  we’ve  been  able  to 
learn  from  those  lessons  and  design  a  rela¬ 
tively  newer  infrastructure  that  doesn’t  have 
those  problems.  For  example,  our  millions  and 
millions  of  servers  all  look  identical. 

We  manage  all  the  physical  and  virtual 
components:  the  hardware,  the  operating 
system,  and  since  everything  is  identical,  it’s 
easier  to  manage  the  technology. 

Chris  Hoff  (chief  security  architect  for 
the  systems  and  technology  division  at 
Unisys  and  an  advisor  on  the  Skybox  Secu¬ 


rity  customer  advisory  board)  is  one  of  the 
more  vocal  skeptics  of  cloud  computing 
and  virtualization  security  in  general.  He 
believes  there's  too  little  understanding  of 
the  technology  to  secure  it  properly. 

Feigenbaum:  There’s  a  misconception 
around  grouping  cloud  computing  with  virtu¬ 
alization.  Cloud  computing  is  just  saying,  ‘We 
have  a  large  infrastructure-one  that  is  identi¬ 
cal  in  our  case  and  easier  to  manage-and  we 
are  going  to  use  that  to  benefit  customers  via 
a  shared  service.’  Google  Apps,  specifically,  is 
built  around  a  message  application,  security 
and  compliance.  A  lot  of  companies  and 
vendors  intentionally  or  unintentionally  get  it 
mixed  up. 

Adam  Swidler:  When  we  talk  about  cloud 
computing,  this  is  not  a  virtualization  strategy. 
This  is  about  outsourcing  a  lot  of  the  security 
to  us.  We  build  in  the  security  from  the  ground 
up.  The  only  way  to  be  more  secure  is  to 
constantly  test  your  defenses.  Google  is  always 
under  attack,  and  so  we  are  currently  adjust¬ 
ing  and  hardening  security.  We  feel  increas¬ 
ingly  that  the  cloud  is  the  best  place  to  solve 
your  e-mail  challenges. 

How  is  Google  using  the  recently 
acquired  Postini  filtering  service  to 
address  application  security  concerns? 

Swidler:  We  really  continue  to  sell  Postini 
as  a  separate  offering,  separate  from  Google 
Apps,  for  companies  that  are  still  running  their 
own  e-mail  servers  such  as  Lotus  Notes  or 
Microsoft  Exchange. 

We  have  taken  a  big  chunk  of  Postini’s 
technology  and  incorporated  it  into  the  Gmail 
client.  But  the  heaviest  usage  is  still  among 
companies  that  have  not  yet  switched  to 
the  cloud. 

-Bill  Brenner 


Number  of  computers 
infected  by  the  Downadup 
worm  in  a  24-hour 
period  last  month 


THREE  STATISTICS 


35M 


Number  of  data  records 
breached  in  2008, 
according  to  the  Identity 
Theft  Resource  Center 


12.6% 


How  much  security 
spending  is  projected  to 
rise  in  2009,  according 
to  security  practitioners 
who  responded  to  a 
survey  from  Forrester 
Research  late  last  year 


io  www.csoonline.com  February  2009 


itK«K 

nsm..,.  m&. 
nmi  %mM- 

imtmmmr 

.rmsm  .  w 

..  HHK 

■  , 


»**»# 

***•• 


m 


Hoiu  can  I  keep 
my  passwords 
safe? 


justaskgemalto.com  q 


. »  if  i 

»*  •*»'***.«•«£; 
*  $  St  •.  *5  Si  M  •  ®  *£ 

»  •  *  S  ®S  •$#*  #  *■: 

>  »  <1 


*  f  **«• 

■  *  *  X 

■  *«* 

•  ••as 

•«  ••■• 
*••* 

*  *  •  » 

•  *  ••«:£ 

»»*:'« 

"  ^tnif 

*«»» 

■ 

-*•  * 


••••*•«  » * 

•  •« * «••»  * 

•  ••«»•*>*» 
•••***  *8  «* 
»  *  ■  e  *  *•  «  *  s 
' »  *  * 


*  * 


*»Si 


»  % 


Sj  m  * 


For  quick  and  practical  answers  to  your  digital  security 
questions  when  communicating,  buying,  traveling  and  surfing, 
there’s  only  one  place  to  go:  www.justaskgemalto.com 

Enjoy  your  digital  life. 


>>  BRIEFING 


MALWARE/CYBERCRIME 

With  Gaza  Conflict, 
Cyberattacks  Come,  Too 

Hackers  carry  out  mass  website  defacements 

The  conflict  that  flared  anew  in  Gaza  between  Israel  and  Palestine 
last  month  didn’t  take  long  to  spill  over  to  the  Internet.  Thousands  of 
webpages  were  defaced  by  hacking  groups  operating  out  of  Morocco, 
Lebanon,  Turkey  and  Iran,  says  Gary  Warner,  director  of  research  in 
computer  forensics  at  the  University  of  Alabama  at  Birmingham. 

The  defacements  primarily  affected  small  businesses  and  vanity  web¬ 
pages  hosted  on  Israel’s  .il  Internet  domain  space. 

One  such  site  was  that  of  Israel’s  Galoz  Electronics.  The  hacked  web¬ 
site  at  one  point  read  “RitualistaS  GrouP  Hacked  your  System!!!  The  world 
isn’t  insurance!!!  For  a  better  world.” 

Other  attackers  placed  more  incendiary  messages  condemning  the 
U.S.  and  Israel  and  adding  graphic  photographs  of  the  violence. 

Warner  says  he  has  seen  no  evidence  that  any  Israeli  government  site 
has  been  hit  by  these  attacks,  although  they  have  been  targeted. 

Israel  launched  air  strikes  into  Gaza  in  response  to  earlier  rocket 
attacks  from  Hamas  and  other  militant  groups.  The  online  attacks  began 
soon  thereafter,  Warner  says. 

“It  really  got  serious.. .all  the  stops  got  pulled  out,”  he  says. 

Warner  estimates  that  about  10,000  webpages  have  been  hacked. 
Many  of  these  intrusions  have  been  documented  on  sites  such  as  Arabic 
Mirror,  which  keeps  track  of  hacked  websites. 

Often,  these  are  mass  defacements  in  which  many  pages  hosted  on 
the  same  server  are  hit. 

The  defacements  are  carried  out  by  loose-knit  hacking  groups  that  meet 
in  several  online  forums  to  coordinate  their  attacks.  One  hacker,  called  Cold 
Z3ro,  claims  to  have  hacked  nearly  5,000  webpages,  Warner  says. 

A  Web  defacement  movement  took  off  in  the  militant  Muslim  com¬ 
munity  in  2006,  when  hundreds  of  Danish  websites  were  hacked  after  a 
Danish  newspaper  printed  cartoons  depicting  the  prophet  Mohammed. 

-Robert  McMillan 


OPINION 


DHSand 

Cybersecurity:  Yes, 
No,  Maybe  So? 

The  Department  of  Homeland  Security  (DHS) 
has  had  a  stained  reputation  almost  from  the 
start,  and  especially  since  its  dismal  performance 
in  the  wake  of  Hurricane  Katrina.  With  a  new 
administration  in  place,  a  lot  of  people  are  scrutinizing 
the  agency  and  trying  to  carve  out  the  way  forward. 
Among  the  nagging  questions  is  whether  or  not  DHS 
should  continue  to  oversee  the  government’s  cyberse¬ 
curity  efforts. 

There’s  no  question  that  DHS  is  a  troubled  agency 
and  that  it’s  not  doing  nearly  enough  to  prepare  for  a 
potential  cyber  9/11.  But  I’m  skeptical  of  the  idea  that 
Washington  will  do  better  by  simply  movingthe  respon¬ 
sibility  to  another  part  of  the  government. 

In  December,  a  group  of  outside  experts  recom¬ 
mended  that  cybersecurity  be  moved 
from  DHS-which  “isn’t  equipped 
to  protect  the  federal  govern- 
ment  against  cyberattacks”- 
to  an  office  within  the 
Obama  White  House.  Many 
members  of  the  Commis¬ 
sion  on  Cyber  Security  for 
the  44th  Presidency  “felt 
that  leaving  any  cyber  func¬ 
tion  at  DHS  would  doom  that 
function  to  failure,"  according  to 
its  96-page  report.  The  commission 
also  wants  new  government  regulations  to  protect 
computer  networks  in  the  U.S.  Such  regulations  would 
call  for  readjusting  government  efforts  to  defend  its 
own  infrastructure,  but  regulations  for  private  industry 
are  also  needed,  the  report  said. 

It  would  be  easy  to  agree  straight  away  that  cyber¬ 
security  could  be  better  handled  from  within  the  White 
House.  But  it’s  not  necessarily  fair  to  take  it  out  of  DHS’s 
hands  right  now. 

For  starters,  DHS  is  still  a  young  agency.  Clearly,  too 
many  smaller  agencies  were  crammed  into  its  belly  and 
there’s  no  trace  of  efficiency.  That  doesn’t  mean  the 
problem  can’t  be  fixed  or  at  least  improved  by  a  change 
in  leadership.  It’s  also  far  from  certain  that  the  govern¬ 
ment  could  do  a  better  job  by  running  cybersecurity 
efforts  from  the  White  House. 

My  suggestion:  Let  DHS  continue  to  handle  cyberse¬ 
curity,  but  also  create  a  stronger  oversight  entity  from 
within  the  executive  branch,  similar  to  the  creation  of  a 
director  of  national  intelligence  separate  from  CIA.  It’s 
another  example  of  changing  the  leadership  rather  than 
the  responsibilities.  -B.B. 


12  www.csoonline.com  February  2009 


Photo  by  AP 


fortify.com 


Some  things  can  be  sacrificed,  but  your  cyber  security  isn’t  one  of  them. 

It’s  a  matter  of  survival.  And  if  you’re  just  protecting  your  sensitive  data  at 
the  network  perimeter,  we’ve  got  news  for  you— your  software  is  seriously 
vulnerable  and  you  need  help.  Fast.  Fortify  delivers  the  only  preventative 
approach  to  software  security.  Reducing  the  risk  of  catastrophe  from  cyber 
attacks  and  helping  you  meet  tough  compliance  mandates.  Don’t  wait  another 
second,  contact  us  at  650-358-5600.  Your  board  of  directors  will  thank  you. 


■ 


MAKE  YOUR 
BOARD  FLY  COACH 
IF  YOU  HAVE  TO. 


>>  BRIEFING 


SECURITY 

WISDOM 

WATCH 


A  look  at  who  made 
the  news-for  better  or 
worse-in  the  last  month 

Thumbs  down:  Heartland 
Payment  Systems.  The  Princ¬ 
eton,  N.J.-based  provider  of 
credit  and  debit  processing, 
payment  and  check  manage¬ 
ment  services  chose  Jan.  20-inaugu¬ 
ration  day  for  President  Obama-to 
disclose  a  massive  data  breach.  Obvi¬ 
ously,  the  company  hoped  the  news 
would  escape  notice  in  the  midst  of 
Obama-mania.  WRONG. 

Thumbs  down:  Paris  Hilton. 
OK,  maybe  we’re  not  being 
fair  to  the  hotel  heiress. 

After  all,  she  didn’t  hack 
anything.  But  between  her 
hacked  cell  phone  and,  most  recently, 
her  website,  Hilton  has  become 
something  of  an  information  security 
bad-luck  charm. 

Thumbs  both  ways:  Micro¬ 
soft.  The  software  giant 
has  taken  heat  over 
some  pretty  severe 
vulnerabilities  in  Win¬ 
dows  recently.  Some  IT 
admins  are  unhappy 
because  of  a  couple  out-of-cycle 
emergency  patches.  But  nobody  can 
deny  that  the  Windows  universe  is  far, 
far  safer  than  it  was  six  years  ago. 

Thumbs  up:  Obama’s  Black- 
Berry.  The  new  president 
appears  to  have  won  the  bat¬ 
tle  against  Secret  Service  folks 
who  wanted  him  to  turn  in  his 
trusty  BlackBerry.  The  National  Secu¬ 
rity  Agency  has  apparently  approved 
a  $3,350  alternative  smartphone-the 
“BarackBerry”-for  Obama’s  use.  The 
agency  can  find  ways  to  secure  some- 
thingwhen  pushed.  -B.B. 


SOCIAL  NETWORKS 

3  WAYS  A  TWITTER 
HACK  CAN  HURT  YOU 


As  Twitter  investigates  how  several 
high-profile  accounts  were  attacked, 
security  expert  Graham  Cluley  points  to 
the  potentials  risks  to  all  users  when  a 
system  is  compromised 

Just  days  after  popular  social  networking 
tool  Twitter  was  hit  with  a  phishing  scam,  the 
company  found  itself  trying  to  clean  up  a  mess 
surrounding  a  separate  hacking  attack. 

Some  Twitter  users  received  tweets  (as 
Twitter  messages  are  called)  inviting  them  to 
visit  certain  sites  or  blogs.  The  URL  in  the  mes¬ 
sage  redirected  users  to  a  bogus  log-in  page 
in  an  attempt  to  steal  log-in  credentials  for  a 
phishing  scheme.  Things  got  worse  as  Twitter 
officials  revealed  that  several  high-profile 
accounts,  such  as  those  of  Britney  Spears  and 
Barack  Obama,  were  hacked. 

Graham  Cluley,  a  senior  technology  con¬ 
sultant  at  security  firm  Sophos,  says  the  hacks 
are  serious  because  it  was  a  compromise  of 
the  system  that  potentially  exposed  all  Twitter 
users  to  the  following  dangers: 

Fraudulent  password  use.  if  you 
gain  access  to  someone’s  Twitter  account,  you 
might  be  able  to  gain  access  to  their  password, 
says  Cluley. 

“We  know  that  41  percent  of  people  admit  to 
using  the  same  password  on  every  website  and 
account  that  they  access,”  he  says.  (See  “How 
to  Write  Good  Passwords”  at  www 
.csoonline.com/article/220721  for  advice  on 
creating  memorable  but  dissimilar  passwords.) 

Hackers,  while  gaining  access  to  some¬ 
thing  seemingly  simple  like  a  user  name  and 
password  to  a  noncritical  account,  may  very 
well  be  able  to  use  the  information  to  gain 
access  to  more  important  information,  such  as 


your  bank  account. 

Malware  infection.  Twitter  officials 
say  that  33  accounts  had  been  attacked  in  the 
latest  hack,  including  high-profile  users  such 
as  Britney  Spears  and  Barack  Obama.  The 
hackers  used  their  temporary  access  to  send 
offensive  messages.  CNN  journalist  Rick  San¬ 
chez  found  his  account  had  been  hacked  with 
a  message  that  read,  “i  am  high  on  crack  right 
now  might  not  be  coming  to  work  today.” 

The  damage  could  have  been  much  worse, 
says  Cluley,  if  the  hacker  had  decided  to  take  a 
different  approach. 

“Imagine  if,  instead,  in  the  case  of  Britney 
Spears  account  for  example,  the  hacker  had 
posted  a  link  that  said:  ‘Here’s  my  new  video. 
Click  on  this  link.’  Imagine  how  many  people 
would  have  clicked  on  that  and  how  it  could 
have  pointed  to  malware.  And  Barack  Obama 
is  one  of  the  most  followed  people  on  Twitter. 

If  he  said:  ‘I’ve  just  made  a  new  speech.  Check 
it  out,’  a  lot  of  people  would  click  on  that  link.” 

identity  theft.  Much  like  with  Facebook 
and  other  Web  2.0  applications,  it  is  always 
possible  that  people  are  sharing  too  much 
information,  says  Cluley,  which  could  be  useful 
for  identifying  theft  or  other  illegal  activity. 

Cluley  says  that  ultimately,  this  news  begs 
the  question:  Why  weren’t  Twitter  systems 
more  secure,  and  what  are  the  implications  for 
the  company? 

“Some  people  are  saying  this  ruins  Twitter,” 
says  Cluley.  “Twitter  had  been  looking  for  a 
business  model,  a  way  to  make  money,  and 
now  that  is  no  longer  viable,  according  to 
some  criticism.  But  I  would  say  if  that  were  the 
case,  then  e-mail  and  websites  would  be  no 
longer  viable  either.”  -J.G. 


14  www.csoonline.com  February  2009 


“Most  of  these  errors  are  not  well  understood 
by  programmers;  their  avoidance  is  not  widely 
taught  by  computer  science  programs,  and 
their  presence  is  frequently  not  tested  by 
organizations  developing  software  for  sale.” 

-From  a  statement  written  by  a  group  of  security  experts  who 
helped  assemble  a  “Top  25”  list  of  dangerous  programming 
errors.  The  effort  was  spearheaded  by  the  SANS  Institute  and 

MITRE. 


month.  The  worm  infected  millions  of 
machines  in  a  botnet-building  attack. 


“Laughter,  at  any  level,  is  an  excellent 
indicator  of  how  much  management  is 
disconnected  from  information  security.” 

-Ben  Rothke,  a  security  consultant  with  BT  Professional 
Services  and  author  of  Computer  Security:  20  Things 
Every  Employee  Should  Know. 


“Just  want  to  say  ‘Hello’ 
from  Russia.  You  are 
really  good  guys.  It 
was  a  surprise  for  me 
that  Microsoft  can 
respond  on  threats  so 
fast.  Happy  New  Year, 
guys,  and  good  luck!” 

An  unknown  hacker,  in  a 
message  sent  to  Microsoft 
researchers.  The  message 
was  embedded  in  a  Trojan 
horse  program. 


Verbatim... 


“It  would  make  for  one 
big,  bad-ass  botnet.” 

-F-Secure  Chief  Research 
Officer  Mikko  Flypponen, 
regarding  the  massive  spread 
of  the  Downadup  worm  last 


Your  SI  EM  log  data  may  need  to  last  for  7  years. 

Has  your  security  vendor  even  been  around  that  long? 


The  Security  Division  of  EMC 

t  '  .  s  ■. 

v  >■  . 

v20,09'FlSh  Security  Inc. 


www.rsa.com 


5  WAYS  TO  SECURE  YOUR  BLACKBERRY 


After  months  of  controversy,  White 

House  officials  recently  confirmed  that 
President  Barack  Obama  will  be  allowed 
to  keep  using  his  BlackBerry  while  in  the 
Oval  Office.  But  while  Obama  will  be  allowed 
to  hold  onto  his  cherished  mobile  device,  it  will 
only  happen  under  an  agreement  that  calls  for 
a  security-enhanced  phone  that  will  be  loaded 
only  with  software  that  has  been  prescreened 
by  U.S.  intelligence  officials.  The  President 
will  also  be  restricted  to  communication  with 
a  small  network  of  friends,  family  and  close 
associates  when  using  his  BlackBerry. 

Still,  a  database  maintained  by  The 
Department  of  Homeland  Security’s  National 
Cyber  Security  Division  lists  16  vulnerabilities 
for  BlackBerrys.  Even  the  best  security  plans 
can  be  cracked.  With  this  in  mind,  CSO  asked 
Dan  Hoffman,  author,  mobile  security  expert 
and  CTO  of  SMobile  Systems,  for  his  advice  on 
ways  Obama  and  others  can  keep  a  Black¬ 
Berry  safe. 

Treat  your  BlackBerry  like  a 

PC.  You  would  not  shop  online,  open  e-mail 
attachments  and  check  your  bank  account  on 
your  PC  without  having  the  proper  firewalls, 
antivirus  and  antimalware  protections  in  place, 
would  you?  So,  why  are  you  doing  it  with  your 
BlackBerry?  A  BlackBerry  is  a  mini  computer, 
says  Hoffman. 

Without  software  that  can  scan  for  prob¬ 


lems  and  update  virus  definitions,  BlackBerry 
owners  are  being  quietly  infected  without 
even  knowing  it,  he  says.  Spyware,  which  can 
intercept  messages  and  remotely  turn  on  the 
phone  and  listen  in  on  conversations,  is  the 
most  common  type  of  malware  being  installed 
on  BlackBerrys. 

Watch  your  back.  Does  this  sound 
familiar?  You  are  killing  time  during  a  layover 
in  Dallas  and  are  housekeeping  on  your 
BlackBerry:  checking  and  responding  to  work 
e-mails,  making  important  work-related  calls. 
Maybe  you  are  even  checking  the  balance  of 
your  bank  account. 

Hoffman  recounts  a  recent  flight  where 
he  sat  directly  behind  a  BlackBerry  user  who 
was  organizing  all  of  his  passwords  and  entry 
codes.  “I  could  see  everything  though  the 
seats,”  he  says. 

Hoffman’s  point?  Be  discreet.  Keep  your 
private  information  private  by  taking  care  of 
business  in  a  place  where  prying  eyes  can’t  see. 
And  keep  the  conversations  in  front  of  people 
to  a  minimum. 

Keep  it  on  you!  This  sounds  like  the 
most  obvious  piece  of  advice,  but,  as  Hoffman 
points  out,  this  is  where  most  of  the  trouble 
begins  for  BlackBerry  owners. 

Popular  places  for  slip-ups  and  loss 
include  bars  and  restaurants  where  users 
place  the  device  on  a  table  or  a  bar,  get  into 


conversation  and  forget  about  it.  This  not  only 
opens  up  the  possibility  of  leaving  it  behind, 
but  also  for  theft.  Even  a  temporary  theft  can 
be  damaging.  The  bad  guy  can  either  obtain 
sensitive  data  or  install  a  Trojan  horse  within 
a  matter  of  seconds  once  the  device  is  in  hand, 
Hoffman  says. 

Have  back-up.  ok,  so  you  didn’t  follow 
the  last  step  and  now  you  have  no  idea  where 
your  BlackBerry  is  located.  What  can  you  do? 

It  depends  on  if  you  have  prepared  for  this 
scenario. 

If  it’s  a  corporate  device  and  you  work  for  a 
company  with  an  enterprise  BlackBerry  server, 
contact  IT  immediately.  They  can  remotely 
lock  or  wipe  the  device.  If  it  is  your  personal 
BlackBerry,  or  if  your  company  doesn’t  have 
that  kind  of  support,  consider  installing 
software  that  gives  you  this  kind  of  capability. 
Investing  in  a  program  that  gives  you  remote 
access  means  you  can  lock  the  device  so  oth¬ 
ers  can’t  get  into  it. 

Utilize  encryption  and  password 
protection.  On  a  RIM  device,  encryption 
is  there,  says  Hoffman;  users  simply  need  to 
activate  it.  But  many  unfortunately  do  not. 
Password  protection  is  even  more  obvious. 

With  a  secure  password,  it  will  be  very  difficult 
for  someone  to  break  in  to  a  BlackBerry,  espe¬ 
cially  since  the  device  only  allows  ten  attempts. 

-J.G. 


16  www.csoonline.com  February  2009 


Illustration  by  Esteban 


MOBILE  SECURITY 


25+  years  in  the  business 


34,000+  customers  in 
over  50  countries. 

Ranked  #1  out  of  100  vendors 
(CIO  Insight,  12/08). 


.  ••  ••  ;♦*£**/*  ^. 


For  an  enduring  solution  to  your  enterprise  security  and  compliance  needs: 

Find  security  in  RSA. 


iQv  u 


www.rsa.com 


■  -  u.i  ' 

H 


The  Security  Division  of  EMC 

Security  Information  and  Event  Management  I  Data  Loss  Prevention  I  Identity  &  Access  Management  :  $ 

©2009  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and  Dther  countries. 


?r  countries. .  I 

■;  >r  jj 


By  Mary  Bran  del 


Source  Code  Analysis  Tools 

Attacks  have  shifted  from  the  perimeter  to  the  application 
layer.  These  tools  help  write  clean,  secure  applications. 


One  of  the  fastest-growing 
areas  in  the  software  secu¬ 
rity  industry  is  source  code 
analysis  tools,  also  known  as 
static  analysis  tools.  These 
tools  review  source  code  (or,  in  Veracode’s 
case,  binary  code)  line  by  line  to  detect  secu¬ 
rity  vulnerabilities  and  provide  advice  on 
how  to  remediate  problems  they  find. 

The  entire  software  security  market  was 
worth  about  $300  million  in  2007,  accord¬ 
ing  to  Gary  McGraw,  CTO  at  Cigital,  a  soft¬ 
ware  security  and  quality  consulting  firm 
in  Dulles,  Va.  McGraw  estimates  that  the 
tools  portion  of  that  market  doubled  from 
2006  to  2007  to  about  $180  million.  About 
half  of  that  is  attributable  to  static  analysis 
tools,  which  amounted  to  about  $91.9  mil¬ 
lion,  he  says. 


According  to  Gartner,  close  to  90  percent 
of  software  attacks  are  aimed  at  the  applica¬ 
tion  layer.  If  security  was  integrated  earlier 
in  the  software  development  lifecycle,  flaws 
would  be  uncovered  earlier,  reducing  costs 
and  increasing  efficiency,  compared  with 
removing  defects  later  through  patches  or 
never  finding  them  at  all,  says  Diana  Kel¬ 
ley,  founder  of  SecurityCurve,  a  security 
consultancy  in  Amherst,  N.H.  “Although 
there  is  no  replacement  for  security- aware 
design  and  a  methodical  approach  to  cre¬ 
ating  more  secure  applications,  code-scan¬ 
ning  tools  are  a  very  useful  addition  to  the 
process,”  she  says. 

18  www.csoonline.com  February  2009 


Despite  the  high  degree  of  awareness, 
many  companies  are  behind  the  curve  in 
their  use  of  static  analysis  tools,  Kelley  says, 
possibly  due  to  the  big  process  changes  that 
these  tools  entail. 

Key  Decisions 

1)  SHOULD  YOU  START  WITH  STATIC 
TOOLS,  DYNAMIC  TOOLS  OR  USE 
BOTH?  In  addition  to  static  analysis,  which 
reviews  code  before  it  goes  live,  there  are 
also  dynamic  analysis  tools,  which  conduct 
automated  scans  of  production  Web  appli¬ 
cations  to  unearth  vulnerabilities.  In  other 


words,  dynamic  tools  test  from  the  outside 
in,  while  static  tools  test  from  the  inside  out, 
says  Neil  McDonald,  a  VP  and  analyst  at 
Gartner. 

Many  organizations  start  with  dynamic 
testing,  just  to  get  a  quick  assessment  of 
where  their  applications  stand,  McDonald 
says.  In  some  cases,  the  groups  that  start 
this  initiative  are  in  security  or  audit  com¬ 
pliance  departments  and  don’t  have  access 
to  source  code.  The  natural  second  step  is 
to  follow  up  with  static  analyzers,  enabling 
developers  to  fix  the  problems  found  by 
dynamic  analysis  tools.  Some  companies 

Illustration  by  Esteban 


X) 

iAiSI 


.  1  ’ 1 

i™' 

stain,  .cond.i  fcworj^: 
Swf  was*?  tepjrk  ,«v 


1 1 


m 


is 


cso 

Perspectives 


Lock  down  your 
business;  secure 
opportunity 

March  1-3,  2009 

Hilton  Clearwater  Beach  Resort 

Clearwater,  Florida 


The  value  of  attending  CSO  Perspectives 

is  immeasurable.  Security  and  business 
are  more  intertwined  than  ever  before. 

You  can't  afford  not  to  strike  the  balance 
between  security  and  access.  Connect 
with  colleagues,  learn  from  the  best  and 
brightest  and  share  in  state-of-the-art 
security  strategies.  You'll  walk  away  with 
the  latest  security  tactics  and  strategies, 
tools  and  solutions  to  keep  your  organi¬ 
zation  secure.  CSO  Perspectives  is  your 
best  ROI  for  2009! 


Register  Now  at: 

www.CSOonline.com/csoperspectives09 

and  reference  priority  code  AD  and  attend 
the  full  program  for  only  $995  (including 
two  nights  accommodation). 


Silver  Sponsors 

ArcSi^hHC 


rcc 

SECUREZrfNE  VWTZpflbus/ness 


The  Security  Division  of  EMC 


Security  Solutions  powered  by  Cybertrust 


Emerging  Solutions 

^Archer 


BUSINESS  RISK  LEADERSHIP 


>>  TOOLBOX 


Most  static  analyzers  scan  source  code,  but 
what  happens  if  you  want  to  analyze  third- 
party  software  or  code  written  so  long  ago 
that  you  only  have  the  executable? 


continue  using  both  because  each  type 
yields  different  findings. 

An  important  differentiator  between 
the  two  types  is  that  static  analyzers  give 
you  the  exact  line  of  code  causing  the  prob¬ 
lem,  while  dynamic  analyzers  just  identify 
the  webpage  or  URL  causing  the  issue. 
That’s  why  some  vendors  offer  integration 
between  the  two  types  of  tools. 

According  to  the  chief  scientist  at  a  large 
software  vendor,  dynamic  assessment  tools 
“tend  to  be  brute  force,”  he  says.  “You  have 
to  hit  every  parameter  to  find  the  vulner¬ 
abilities,  whereas  static  tools  investigate 
the  whole  landscape  of  the  application.”  He 
recently  chose  a  code  scanner  from  Ounce 
Labs,  after  outsourcing  the  work  to  Cigital 
since  2006.  He  became  interested  in  applica¬ 
tion  security  when  customers  began  requir¬ 
ing  Payment  Card  Industry  Data  Security 
Standard  (PCI  DSS)  certification.  He  plans 
to  add  in  dynamic  testing  in  the  future,  but 
the  static  analysis  tool  is  the  cornerstone  of 
his  application  security  program. 

2)  DO  YOU  HAVE  THE  SOURCE  CODE? 
Most  static  analyzers  scan  source  code,  but 
what  happens  if  you  want  to  analyze  third- 
party  software  or  code  written  so  long  ago 
that  you  only  have  the  executable?  In  that 
case,  Veracode  offers  binary  code  scanning 
through  a  software-as-a-service  (SaaS) 
platform.  “A  vendor  may  not  be  willing  to 
give  you  source  code,  but  they  will  give  you 
executables  or  binary,”  Kelley  says. 

At  the  Federal  Aviation  Administra¬ 
tion,  Michael  Brown,  director  of  the  Office 
of  Information  Systems  Security,  says  he 
chose  to  use  Veracode’s  services  this  year 
because  of  the  amount  of  vendor-written 
code  the  FAA  anticipated  to  use  as  a  result 
of  its  modernization  of  the  national  airspace 
system.  He  wanted  a  service  rather  than  a 
tool  to  reduce  the  need  for  training.  So  far, 
the  results  have  been  eye-opening,  he  says. 
“A  lot  of  the  code  didn’t  really  take  security 
into  account,”  he  says.  “There  were  cases  of 
memory  leaks,  cross-site  scripting  and  buf¬ 
fer  overflows.” 

3)  WHAT  DO  YOU  CURRENTLY  USE 
FOR  SOFTWARE  QUALITY?  Some  tool  ven¬ 
dors,  such  as  Coverity,  Klocwork,  ParaSoft 
and  Compuware,  originated  in  the  quality¬ 
testing  arena  and  have  added  security  capa¬ 
bilities,  whereas  vendors  like  Ounce  and 
Fortify  Software  were  solely  designed  for 
security.  It’s  worthwhile  to  check  into  the 


quality  tools  you  already  use  to  see  if  you 
can  leverage  the  existing  relationship  and 
tool  familiarity.  You  should  also  consider 
whether  it’s  important  to  your  organization 
to  have  the  two  functions  merged  into  one 
tool  in  the  long  term,  McDonald  says. 

Evaluation  Criteria 

■  Support  for  the  programming 
languages  you  use.  Some  companies 
support  mobile  devices,  while  others 
concentrate  on  enterprise  languages 
like  Java,  .Net,  C,  C++  and  even  Cobol. 

■  Good  bug- finding  performance,  using 
a  proof  of  concept  assessment.  Hint: 

Use  an  older  build  of  code  and  see 
how  well  the  product  catches  the  bugs 
that  you  had  to  find  manually.  Look 
for  both  thoroughness  and  accuracy. 
Fewer  false  positives  mean  less 
manual  work. 

■  Internal  knowledge  bases  that  provide 
descriptions  of  vulnerabilities  and 
remediation  information.  Test  for  easy 
access  and  cross-referencing  to  discov¬ 
ered  findings. 

■  Tight  integration  with  your  develop¬ 
ment  platforms.  You’ll  likely  want 
developers  to  incorporate  security 
analysis  into  their  daily  routines. 

■  A  robust  finding- suppression  mecha¬ 
nism  to  prevent  false  positives  from 
reoccurring  once  you’ve  verified  them 
as  a  nonissue. 

■  Ability  to  easily  define  rules  so  the  tool 
can  enforce  internal  coding  policies. 

■  A  centralized  reporting  component  if 
you  have  a  large  team  of  developers  and 
managers  who  want  access  to  findings, 
trending  and  overview  reporting. 

Dos  and  Don’ts 

DON’T  underestimate  the  adoption  time 
required.  Most  static  analysis  projects  are 
initiated  by  security  or  compliance  and  not 
by  developers,  who  may  not  immediately 
embrace  these  tools.  Before  developers  get 
involved,  McDonald  suggests  doing  the  leg- 
work  on  new  processes,  planning  integra¬ 


tion  with  other  workflows  like  bug- tracking 
systems  and  development  environments 
and  tuning  the  tool  to  your  unique  coding 
needs.  “Don’t  deploy  to  every  developer  at 
once,”  he  adds.  “Ideally,  you’ll  get  someone 
who  wants  to  take  on  a  competency  role  for 
security  testing.” 

The  chief  scientist  at  the  large  software 
vendor  has  developed  an  application  secu¬ 
rity  awareness  program  that  includes  train¬ 
ing  on  common  vulnerabilities,  through 
podcasts  and  videocasts.  Once  he  builds 
up  awareness,  he’ll  educate  developers  on 
secure  coding  standards.  To  complete  the 
circle,  he’ll  introduce  Ounce’s  static  code 
analysis  tool  to  enforce  the  standards  and 
catch  vulnerabilities,  “so  it’s  a  feedback 
loop,”  he  says. 

30©  consider  using  more  than  one  tool. 
Collin  Park,  senior  engineer  at  NetApp, 
says  the  company  uses  two  code  analysis 
tools:  Developers  run  Lint  on  their  desk¬ 
tops,  and  the  company  uses  Coverity  each 
night  to  scan  all  completed  code.  “They 
catch  different  things,”  he  explains.  NetApp 
began  using  these  tools  when  its  customer 
base  shifted  to  enterprise  customers,  who 
had  more  stringent  requirements.  While 
Coverity  is  better  at  spotting  vulnerabilities 
such  as  memory  leaks,  Lint  catches  careless 
coding  errors  that  developers  make  and 
seems  to  run  faster  on  developer  desktops, 
Park  says. 

According  to  Kelley,  organizations 
typically  implement  static  analyzers  at  two 
stages  of  the  development  process:  within 
the  development  environment,  so  devel¬ 
opers  can  check  their  own  code  as  they’re 
writing,  and  within  the  code  repository,  so  it 
can  be  analyzed  at  check-in  time.  The  chief 
scientist  uses  this  method.  “In  the  first  scan, 
if  the  engineer  takes  every  finding  and  sup¬ 
presses  them,  a  milestone  scan  will  catch 
those  and  generate  a  report,”  he  says. 

DO  analyze  pricing:  Vendors  have  dif¬ 
ferent  pricing  strategies,  McDonald  says. 
For  instance,  while  all  continuously  add 
information  to  their  libraries  about  the  latest 
vulnerabilities,  some  charge  extra  for  this, 


20  www.csoonline.com  February  2009 


while  others  include  it  in  the  maintenance 
fee,  he  says.  In  addition,  some  vendors 
charge  per  seat,  which  can  get  expensive 
for  large  shops  and  may  even  seem  wasteful 
for  companies  that  don’t  intend  to  run  the 
scanner  every  day,  while  others  charge  per 
enterprise  license.  Additionally,  some  ven¬ 
dors  charge  for  additional  languages,  while 
others  charge  one  price  for  any  language 
they  support,  McDonald  says. 

DO  plan  to  amend  your  processes. 
Tools  are  no  replacement  for 
strong  processes  that  ensure 
application  security  from  the 
beginning,  starting  with  defin¬ 
ing  requirements,  which  should 
focus  on  security  as  much  as 
functionality,  according  to  Kel¬ 
ley.  For  instance,  a  tool  won’t 
tell  you  whether  a  piece  of  data 
should  be  encrypted  to  meet 
PCI  compliance.  “If  a  company 
just  goes  out  and  buys  one  of 
these  tools  and  continues  to 
do  everything  else  the  same, 
they  won’t  get  to  the  next  level,” 
she  says. 

The  chief  scientist  says  it’s 
also  important  to  determine 
what  will  happen  when  vulner¬ 
abilities  are  found,  especially 
because  the  tools  can  generate 
thousands  of  findings.  “Does  the 
workflow  allow  them  to  effec¬ 
tively  analyze,  triage,  prioritize 
or  dispose  of  the  findings?”  he 
says.  He  is  working  with  Ounce 
to  integrate  the  system  better 
with  his  current  bug-tracking 
system,  which  is  Quality  Center. 

“It  would  be  great  to  right-click 
on  the  finding  to  automatically  inject  it  into 
the  bug-tracking  system,”  he  says. 

At  NetApp,  Park  has  reworked  existing 
processes  to  ensure  developers  fix  flagged 
vulnerabilities.  As  part  of  doing  a  code  sub¬ 
mit,  developers  do  a  test  build,  which  must 
succeed  or  it  can’t  be  checked  in.  Then, 
when  they  check  in  code,  an  automated 
process  starts  an  incremental  build.  If  that 
build  fails,  a  bug  report  is  filed,  complete 
with  the  names  of  developers  who  checked 
in  code  before  the  last  build.  “Developers 
are  trained  to  treat  a  build  failure  as  some¬ 
thing  they  have  to  look  at  ‘now,’”  Park  says. 

NetApp  also  created  a  Web-based  chart 


that’s  automatically  updated  each  night, 
to  track  which  managers  have  teams  that 
were  issued  Lint  or  Coverity  warnings  and 
whether  they  were  cleared. 

DO  retain  the  human  element.  While 
the  tools  will  provide  long  lists  of  vulner¬ 
abilities,  it  takes  a  skilled  professional  to 
interpret  and  prioritize  the  results.  “Com¬ 
panies  don’t  have  time  to  fix  every  problem, 
and  they  may  not  need  to,”  Kelley  says.  “You 
need  someone  who  understands  what  is 


and  is  not  acceptable,  especially  in  terms  of 
a  ‘time  versus  perfection’  trade-off.” 

Park  points  out  an  instance  where  the 
Coverity  tool  once  found  what  it  called  “a 
likely  infinite  loop.”  On  first  glance,  the 
developer  could  see  there  was  no  loop, 
but  after  a  few  more  minutes  of  review,  he 
detected  something  else  wrong  with  the 
code.  “The  fact  that  you  get  the  tool  to  stop 
complaining  is  not  an  indication  you’ve 
fixed  anything,”  Park  says. 

DON’T  anticipate  a  short  scan. 
NetApp  runs  scans  each  night,  and  because 
it  needs  to  cover  thousands  of  files  and  mil¬ 
lions  of  lines  of  code,  it  takes  roughly  10 


hours  to  complete  a  code  review.  The  rule 
of  thumb,  according  to  Coverity,  is  that  for 
each  hour  of  build  time,  allow  two  hours 
for  the  analysis  to  be  completed.  Coverity 
also  enables  companies  to  do  incremental 
runs  so  that  you’re  not  scanning  the  entire 
code  base,  just  what  you’ve  changed  in  the 
nightly  build. 

DO  consider  reporting  flexibility.  At 
the  FAA,  Brown  gets  two  reports:  an  exec¬ 
utive  summary  that  provides  a  high-level 
view  of  vulnerabilities  detected 
and  even  provides  a  security 
score,  and  a  more  detailed 
report  that  pinpoints  which 
line  of  code  looks  troublesome 
and  the  vulnerability  that  was 
detected.  In  the  future,  Brown 
would  like  to  build  into  vendor 
contracts  the  requirement  that 
they  meet  a  certain  security 
score  for  all  code  they  develop 
for  the  FAA. 

DON’T  forget  the  busi¬ 
ness  case:  When  Brown  first 
wanted  to  start  reviewing  code, 
he  was  met  with  some  pushback 
from  managers  who  wanted  a 
defined  business  need.  “You’ve 
got  program  managers  with 
schedules  to  meet,  and  they  can 
view  this  as  just  another  bump 
in  the  road  that’s  going  to  keep 
them  from  making  their  mile¬ 
stones,”  he  says. 

Brown  created  the  business 
case  by  looking  to  independent 
sources  like  Gartner  and  Bur¬ 
ton  Group  for  facts  and  figures 
about  code  vulnerability,  and  he 
also  ran  reports  on  how  much 
time  the  FAA  was  dedicating  to  patch 
management. 

The  chief  scientist  justified  the  cost 
of  the  Ounce  tool  by  taking  the  total  cost 
of  the  product  and  comparing  that  to  the 
effort  involved  in  a  manual  review.  “With 
millions  of  lines  of  code,  imagine  how  many 
engineers  it  would  take  to  do  that  and,  by 
the  way,  we  want  to  do  it  every  week,”  he 
says.  “The  engineers  would  fall  down  dead 
ofboredom.”  ■ 


Mary  Brandel  is  a  freelance  writer  based  near 
Boston.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


Code  Check 


Market  share  leaders,  according  to  Gartner 


VENDOR 

MARKET 
SHARE  2006 

MARKET 
SHARE  2007 

CHANGE 

Fortify 

Software 

13.3% 

17.3% 

83.2% 

Coverity 

15.0% 

16.1% 

_ 

51.4% 

Klocwork 

13.3% 

15.4% 

62.5% 

Other 

vendors 

9.2% 

8.8% 

34.7% 

Watchfire 

21.7% 

. 

7.6% 

-51.0% 

SPI 

Dynamics 

17.6% 

6.9% 

,-45.2% 

IBM 

0.0% 

6.7% 

0.0% 

HP 

0.0% 

6.4% 

. .  . 

0.0% 

Ounce  Labs 

2.6% 

5.7% 

208.1% 

Cenzic 

3.5% 

2.9% 

17.1% 

WhiteHat 

2.1% 

2.3% 

52.0% 

Veracode 

 ....  . i 

0.0% 

2.1% 

0.0% 

1  111  1  1  1  1 

Acunetix 

1.2% 

1.5% 

76.8% 

Compuware 

0.6% 

0.5% 

1. ,  -  - .  . 

11.7% 

Total 

100.0% 

100.0% 

40.5% 

February  2009  www.csoonline.com  21 


COVER  STORY  |  BUDGETS 


SMALLER  BUDGET 


Small  businesses  have  to  be  crafty  to  handle  security 
with  fewer  resources.  Here  are  bright  ideas  for  SMBs. 

BY  LAUREN  GIBBONS  PAUL 


ADAM  HANSEN  IS  that  rare  bird  in  the  small  to  mid¬ 
size  business  realm:  He  is  a  CSO.  Hansen  heads  up 
security  for  Sonnenschein,  Nath  and  Rosenthal,  an 
8oo-attomey  law  firm  in  Chicago. 

Granted,  Hansen’s  employer  sits  on  the  higher 
end  of  the  SMB  size  spectrum,  but  it  is  still  relatively 
uncommon  for  companies  with  revenues  under  $500 
million  to  have  a  person  devoted  to  security.  Han¬ 
sen  is  rarer  yet  in  that  he  leads  a  staff  of  six  security 
professionals,  who  handle  all  aspects  of  physical 
and  information  security  for  the  firm,  which  has  16 
offices.  “I’ve  been  lucky  here,”  he  says.  Many  compa¬ 
nies  of  comparable  size  don’t  have  anyone  who  takes 
a  global  view  of  security. 

When  it  comes  to  information  security,  most  IT 
people  at  SMBs  tend  to  be  generalists  rather  than 
specialists  like  the  ones  at  Sonnenschein.  “They  put 
in  a  new  disk  farm  yesterday,  today  they’re  doing 


a  website,  tomorrow  they  will  do  something  with 
security,”  says  Darrell  Rodenbaugh,  senior  VP  of  the 
midmarket  segment  for  McAfee  Security,  a  security 
software  vendor  in  Santa  Clara,  Calif. 

McAfee  surveys  its  vast  SMB  user  population  fre¬ 
quently  to  discern  their  security  practices  and  hab¬ 
its.  “Most  spend  less  than  an  hour  a  week  proactively 
managing  security,”  says  Rodenbaugh.  According  to 
the  most  recent  McAfee  survey,  most  SMB  respon¬ 
dents  did  not  believe  they  are  a  likely  target  of  cyber¬ 
crime.  “They  don’t  think  they  are  well  enough  known, 
but  nothing  could  be  further  from  the  truth.” 

SMBs  are  still  in  security  catch-up  mode  com¬ 
pared  with  large  enterprises,  according  to  Adam 
Hils,  principal  research  analyst  for  the  Atlanta  office 
of  Gartner.  But  catching  up  they  are.  One  sign  of 
maturity:  SMBs  are  now  more  likely  to  have  formal, 
written  security  policies,  according  to  a  recent  Gart- 


22  www.csoonline.com  February  2009 


Illustration  by  John  MacDonald 


j£- 

I 

% 

cr.. 

1 1 

1 

COVER  STORY  I  BUDGETS 


ner  survey  (see,  “SMB  IT  Security  Spend¬ 
ing  Habits,”  Page  27).  About  47  percent  of 
Gartner  SMB  survey  participants  have 
developed  and  adopted  a  formal  security 
policy.  And  about  30  percent  more  plan  to 
develop  one  this  year. 

That  has  been  a  big  trend  in  the  last  year 
or  so,  according  to  Hils.  Regulatory  compli¬ 
ance  is  a  major  driver  to  formalize  policies 
on  the  information  security  side,  especially 
for  retail  companies  that  are  within  the 
purview  of  PCI  (the  Payment  Cards  Indus¬ 
try  Data  Security  Standards).  Even  for  com¬ 
panies  that  are  not  big  enough  to  be  covered 
by  government  regulations,  they’ll  have  to 
comply  if  they  work  with  larger  partners 
who  do. 

“Most  companies  of  this  size  don’t  take 
a  closer  look  at  security  unless  they  have 
to  for  some  reason,”  says  Corey  Thomas, 
vice  president  of  marketing  and  product 
management  for  Rapid7,  a  Boston-based 
consulting  firm.  After  adopting  the  basic 
level  of  protection,  they  are  often  tempted 
to  sit  back. 

That  approach  isn’t  good  enough.  “A 
frivolous  lawsuit,  a  key  theft  or  one  cyber¬ 
attack  can  cripple  a  small  business  immedi¬ 
ately,”  says  Charles  Foley,  CEO  of  TimeSight 
Systems,  a  video  surveillance  vendor  in 
Mount  Laurel,  N.J.  Since  resources  are 
short,  though,  whatever  security  measures 
SMBs  do  take  need  to  be  cost-effective  and 
easy  to  implement. 

“We  spent  several  years  trying  to  scare 
our  [SMB]  customers  into  spending  more 
time  and  money  on  security,”  says  Roden- 
baugh.  “I  am  now  convinced  that  we  have 
to  figure  out  a  better  story.  [Security  mea¬ 
sures]  have  to  be  extremely  cost  effective.” 

The  need  to  be  thrifty  is  hardly  headline 
news  in  this  space,  in  this  economy.  But  we 
have  identified  five  key  security  trends  that 
are  affecting  SMBs,  along  with  some  ideas 
on  how  to  capitalize  on  them: 

Risk  management  should  form  the 
foundation  of  your  security  prac¬ 
tices.  The  idea  of  taking  a  holistic,  risk-based 
approach  is  not  a  new  one;  enterprise-size 
companies  have  been  doing  it  for  decades. 
But  their  smaller  counterparts  should  use 
risk  management  as  the  foundation  of  their 
security  policies,  as  well.  Security,  therefore, 
should  encompass  not  just  information  and 
physical  premises,  but  also  the  other  types 
of  risk  companies  face,  including  financial 


risk,  credit  risk,  reputational  risk,  market 
risk.  The  CSO  may  not  be  able  to  make  a 
decision  affecting  an  area  such  as  market 
risk— this  would  be  up  to  the  C  suite  or  busi¬ 
ness  owner.  But  he  should  view  it  as  a  duty  to 
identify  and  inform  about  the  different  types 
of  risk.  Hansen  at  Sonnenschein  has  all  of 
the  major  risk  types  on  his  radar  screen. 
“We  have  been  fortunate  so  far  only  to  have 
to  really  worry  about  IT  risk.  But  that  scope 
is  expanding  quickly,”  he  says. 

Bright  idea:  Factor  in  threats  gener¬ 
ated  by  current  conditions  and  address 
the  most  pressing  ones  first.  The  economic 
downturn  means  a  lot  of  retail  companies 
are  dealing  with  higher-than-usual  levels  of 
shrinkage  and  returns  fraud.  If  you  think 
your  company  is  exempt  from  this  sort  of 
threat,  think  again.  For  example,  if  you  have 
a  small  business  that  installs  wiring,  you 
need  to  be  aware  of  and  mitigate  against 
the  current  rise  in  copper  theft.  “There  is 
a  booming  business  selling  copper  on  the 
black  market,”  says  Foley.  “If  you  have  a 
wiring  business,  people  will  steal  the  wire 
for  the  copper  and  then  sell  it.”  The  key  is 
to  mitigate  against  threats  that  have  sprung 
up  due  to  bad  economic  conditions,  as  well 
as  other  less-expected  avenues. 

The  ongoing  merger  of  informa¬ 
tion  security  and  physical  security 
is  good  news  for  SMBs.  In  past  years,  you 
had  to  have  separate  networks  for  informa¬ 
tion  technology  and  physical  security.  Now, 
physical  security  continues  its  march  onto 
the  IP  network.  “We’re  seeing  a  strong  trend 
to  bring  physical  security  systems  like  sur¬ 
veillance  and  access  control  together  with 
IT  security  systems,”  says  Foley.  Just  a  few 
years  ago,  this  was  not  possible.  “Every¬ 
thing  had  to  be  wired  separately.  Now  they 
can  be  plugged  into  the  IP  network,  wired 
or  wirelessly.  It  is  much  more  cost  effective 
to  leverage  the  common  infrastructure,”  he 
adds.  Physical  security  devices  such  as  card 
readers  and  video  recorders  can  run  on  the 
network,  creating  a  new  class  of  security 
information.  But  beware,  you  will  need  a 
new  set  of  policies  to  control  this  new  infor¬ 
mation  asset. 

Bright  idea:  Explore  your  own  unique 
information-  and  physical -security  appli¬ 
cations.  TimeSight  Systems’  SMB  custom¬ 
ers  are  mixing  up  information  and  physical 
security  in  innovative  ways,  reports  Foley. 
For  example,  the  access  control  system  can 


link  to  the  network  so  employees  will  not  be 
allowed  to  sign  on  to  the  corporate  network 
until  they  have  swiped  their  ID  card  to  get 
into  the  building.  Obviously,  this  would  not 
work  for  the  millions  of  companies  where 
employees  sign  onto  the  network  from 
home.  Still,  there  are  many  interesting  pos¬ 
sibilities  here. 

Video  surveillance  and  analytics 
are  now  within  the  reach  of  SMBs. 
Video  surveillance  is  one  of  the  fastest 
growing  areas  in  physical  security,  accord¬ 
ing  to  IMS  Research.  Companies  of  all  sizes 
are  snapping  up  well-priced  video  cameras 
and  video  analytics  systems  that  allow  you 
to  store  high-quality  images  of  relevant  data 
such  as  individual  faces  and  license  plates. 
“[Video  analytics]  act  like  a  digital  guard 
at  a  fraction  of  the  cost  of  a  human  guard,” 
says  Scott  Schnell,  president  and  CEO  of 
VideoIQ,  in  Bedford,  MA.  “It  detects  when 
a  person  or  vehicle  enters  an  area  where 
you  have  set  it  up  to  alert  you.  The  system 
can  detect  people  who  are  loitering  or  lin¬ 
gering  after  hours  and  apply  rules  about 
their  behavior.”  Prime  video  surveillance 
users  are  hotels,  casinos,  banks,  high-end 
retail  and  car  dealerships.  VideoIQ’s  cam¬ 
era  has  a  suggested  retail  price  of  $1,800, 
which  includes  the  video  camera,  enough 
storage  for  two  months  of  continuous  tap¬ 
ing  and  PC  software. 

Vendors  are  scrambling  to  introduce 
innovative  new  video  technologies  at  a 
price  point  that  is  attractive  to  SMBs.  For 
instance,  the  high  cost  of  storage  hardware 
traditionally  limited  SMBs  from  deploying 
video  surveillance.  TimeSight  sells  what  it 
terms  “video  lifecycle  technology,”  which 
automatically  reduces  the  amount  of  data 
stored  on  the  system  over  time  by  degrad¬ 
ing  the  quality  of  the  video.  “The  user  can 
say,  ‘If  nothing  has  happened  within  one 
week  of  taking  this  footage,  compress  the 
video  down  to  one-third  of  its  original  size. 
If  nothing  has  happened  after  a  month, 
compress  it  down  to  one-eighth  of  its  origi¬ 
nal  size,”’  he  says.  This  makes  video  storage 
more  efficient  and  helps  SMBs  avoid  buy¬ 
ing  new  hardware. 

Hansen  at  Sonnenschein  uses  a  “smart” 
video  system:  “If  there  is  no  movement, 
the  camera  doesn’t  record.  It  only  takes 
and  stores  what  we  might  need.”  The 
system  takes  the  place  of  human  guards. 
“For  me  to  hire  guards  would  be  an 


24  www.csoonline.com  February  2009 


extraordinary  cost.” 

Bright  idea:  When  attempting  to  jus¬ 
tify  the  cost  of  video  surveillance,  visit  the 
marketing  folks  to  see  if  they  could  use 
the  system  for  business  purposes,  advises 
Foley.  Not  only  will  you  be  more  likely  to  get 
the  funding  you  need  for  video  surveillance, 
but  you  will  do  a  good  turn  for  the  business 
side  of  the  house.  “Marketers  can  do  things 
like  people  counting.  They  can 
analyze  how  many  people  were 
clustered  around  that  end-cap 
display,  and  how  long  were  they 
there?”  That  kind  of  data  can  help 
marketers  optimize  the  business, 
potentially  a  very  great  benefit. 

Outsourcing  is  more 
popular  than  ever.  Seek¬ 
ing  lower  costs,  businesses  of  all 
sizes  are  using  all  types  of  security 
services  provided  by  third  parties. 

Ed  Eskew  outsources  his  security 
function  wholesale  to  a  trusted 
provider.  Chief  information  officer 
for  Bernard  Chaus,  a  $118  million 
privately  held  maker  of  women’s 
apparel,  Eskew  outsources  the 
majority  of  his  technical  infra¬ 
structure,  including  security,  to 
a  service  provider  that  he  has 
grown  with  over  the  last  10  years. 

The  provider  has  full-time  staff 
on  the  premises  at  each  of  Chaus’s 
six  facilities  throughout  New  York 
and  New  Jersey. 

“This  arrangement  allows  me 
access  to  every  possible  skill  set 
that  I  need  to  support  my  environ¬ 
ment.  They  use  a  lot  of  state-of-the- 
art  technologies.  We  have  VPNs  to 
[contract  manufacturers  in]  Hong 
Kong  and  China.  We  have  secure 
remote  checkpoint  technology  to 
mitigate  and  manage  security  from 
those  locations,”  says  Eskew. 

“They  rotate  their  own  engi¬ 
neers  through  our  facilities  so 
there  is  constant  replacement  and  overlap. 
There  is  a  constant  refreshing  of  skills,”  he 
says,  adding  that  the  arrangement  is  cost 
effective  compared  with  doing  it  in-house. 
His  IT  spend  is  a  bit  less  than  1  percent  of 
revenues,  which  were  $118  million  in  2008. 
“To  bring  all  these  skills  on  staff  becomes 
cost-prohibitive— at  least  $500,000  to  bring 
it  in-house.  I  am  paying  25  percent  to  30 


percent  of  that  to  outsource  it.” 

Bright  idea:  Wholesale  outsourcing 
is  better  as  a  trusted  relationship  built  up 
over  time.  Sending  your  security  function 
to  an  unproven  provider  would  increase 
your  risk  exponentially.  “There  is  too  much 
at  stake,”  says  Eskew.  “You  need  to  make 
sure  you  know  who  you’re  dealing  with.  We 
have  a  nice  relationship,  built  up  over  many 


SMB  IT  Security 
Spending  Habits 

>  For  2008,  almost  two-thirds  of 
SMBs  projected  business  growth 
(63  percent),  but  that’s  twice  the 
number  of  SMBs  that  expect  security 
budget  growth  (33  percent). 

>  Data  security  and  privacy  and 
infrastructure  protection-not 
regulatory  compliance-are  still  the 
primary  drivers  of  IT  security  spending. 

■  Because  of  limited  security  staff  and 
granular  senior-level  budget  contro.1, 
SMB  business  leaders  drive  and 
influence  security  purchasing  decisions. 

This  survey  was  fielded  before  the  cur¬ 
rent  world  economic  challenges.  In  a 
prolonged  or  sharp  downturn,  some  of 
the  SMB  behaviors  will  likely  shift: 

■  Business  growth  and  security 
budget  growth  will  slow  down. 

■  Large  capital  purchases  (hardware 
and  software)  will  be  delayed. 

■  Security  as  a  service  will  become  a 
larger  portion  of  security  spending. 

Source:  Gartner  survey  of  283  SMB  executives  worldwide 


years.  You  don’t  go  out  day  one  and  go  from 
nothing  to  this,  in  my  opinion.” 

Recognize  that  you  can’t  take 
people  out  of  the  equation.  You 
need  policies  and  to  train  your  employees 
on  what  is  acceptable  and  what  isn’t.  But 
“changing  the  way  people  act  is  not  a  way 
to  enforce  security,”  says  Hils  of  Gartner. 
“It  would  be,  in  a  perfect  world,  but  this 


is  the  real  world.”  What  that  means:  No 
matter  how  much  you  would  like  to,  you 
cannot  legislate  all  risky  technologies  and 
platforms  out  of  most  environments.  “You 
can’t  outlaw  things  like  IM  and  Facebook,” 
says  Thomas  of  Rapid7.  “Your  users  will 
just  find  workarounds  to  your  restric¬ 
tions,  and  then  you’ll  have  no  [visibility].” 
Instead,  you  have  to  help  people  find  ways 
to  engage  constructively  with  risk¬ 
ier  modalities  such  as  online  docu¬ 
ment-sharing  applications,  outside 
collaboration  platforms  and  social 
networks.  “Employees  are  just  try¬ 
ing  to  get  their  jobs  done.  There  are 
a  lot  of  online  tools  that  can  help 
them  do  that.  But  they  need  to  be 
trained  about  processes  and  pro¬ 
cedures  on  how  to  manage  them,” 
says  Thomas. 

Bright  idea:  When  it  comes 
to  people,  resist  the  urge  to  look 
down  everything  in  sight.  Top- 
down  management  does  not  work 
except  in  limited  circumstances. 
The  process  is  not  unlike  rais¬ 
ing  teenagers,  says  Thomas.  “You 
want  to  establish  a  dialog  so  that 
they  will  know  how  to  make  the 
right  choice  when  the  time  comes. 
He  advises,  “Aim  for  progress,  not 
perfection.” 

If  you  are  in  charge  of  security 
at  an  SMB,  you  have  our  support. 
“SMBs  are  getting  really  crunched 
right  now,”  says  Foley.  “They  don’t 
have  big  funds  and  they  don’t 
have  big  staffs  but  if  they  want  to 
compete,  they  better  deliver  the 
same  quality  of  goods  as  the  big 
players.”  And  that  means  having 
security  that  is  on  par  with  large 
companies. 

On  the  other  hand,  be  thank¬ 
ful  that  you  don’t  have  to  deal  with 
big-company  headaches.  “My 
friends  who  do  my  job  at  gigantic 
companies,  they  have  different  issues,”  says 
Hansen  of  Sonnenschein.  “They  have  size, 
but  that  can  be  a  problem.  Size  slows  you 
down.  I  can  be  a  lot  more  nimble  and  make 
quicker  security  decisions.”  ■ 


Lauren  Gibbons  Paul  is  a  freelance  writer  based 
outside  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


February  2009  www.csoonline.com  25 


EXECUTIVE  PROTECTION 


The  presidential 
inauguration  and 
roiling  anticorporate 
sentiment  put 
executive  protection 
in  the  spotlight. 

Expert  Robert 
Oatman  explains  the 
elements  of  a  good 
program,  the  impact  of 
technology  and  more. 


26  www.csoonline.com  February  2009 


Robert  Oatman  wrote 

the  book  on  executive 
protection— literally. 
Oatman,  author  of 
Executive  Protection: 
New  Solutions  for  a  New 
Era,  spoke  with  Senior 
Editor  Joan  Goodchild 
about  the  importance 
of  relationships,  the  impact  of  technology 
and  how  CSOs  should  plan  their  protection 
programs. 

CSO:  What  are  the  absolute  basics  of  a  good 
executive  protection  program? 

Robert  Oatman:  I  have  been  a  strong  advocate 
of  concentrating  on  the  fundamentals.  It  is  the 
foundation  of  any  serious  executive  protection 
program.  It  is  all  about  the  details.  If  you  conduct 
your  mission  with  purpose  and  a  plan  you  will 
be  successful. 

My  first  challenge  is  based  on  the  risk  assess¬ 
ment.  How  can  you  protect  any  principal  if  you 
can’t  identify  the  risk?  You  then  work  from  a 
starting  point  so  that  your  protective  effort  is 
realistic  and  reliable. 

We  see  serious  issues  when  the  proper  plan¬ 
ning  has  been  left  to  chance.  You  need  to  gather 
the  facts  and  build  your  program  on  sound 
principals  so  that  you  execute  in  a  reasonable 
and  correct  manner.  I  like  to  use  the  analogy  of 
constructing  a  building:  Without  a  professional 
architect,  the  structure  automatically  is  in  jeop¬ 
ardy.  Without  proper  planning  you  are  placing 
your  principal  in  harm’s  way. 

Proper  training  is  necessary  so  the  EP  spe¬ 
cialist  knows  how  to  blend  into  the  C-suite  envi¬ 
ronment.  A  close  connection  with  the  protectee 
and  his  or  her  inner  circle:  spouse,  executive 
assistant,  drivers,  housekeepers,  closest  col¬ 
leagues  and  others  who  inhabit  the  protectee’s 
daily  orbit.  This  connectedness  greatly  increases 
the  EP  specialist’s  ability  to  protect  the  principal. 

Another  important  component  is  access  to 
the  necessary  information,  such  as  the  princi¬ 
pal’s  daily  schedule,  upcoming  travel  plans,  both 
work  and  nonwork,  work  activities  that  might 
generate  special  risk  and  any  odd  or  threatening 
communications. 

How  much  of  a  role  does  a  good  personality 
play  in  making  these  things  work? 

It’s  the  number-one  characteristic  you  have  to 
display.  You  need  the  right  chemistry  so  that  you 
and  the  principal  you  protect  get  along  well.  And 


that  is  not  always  the  case.  You  can  have 
someone  with  really  a  fantastic  professional 
background  in  protection,  but  if  that  chem¬ 
istry  isn’t  on  the  mark,  it’s  destined  to  fail. 

It’s  just  as  important  to  be  approach¬ 
able.  In  order  for  us  to  be  successful  in 
executive  protection,  we’ve  got  to  have 
allies  up  and  down  the  main  stream  of  the 
company.  If  you  want  to  get  things  done, 
you  can’t  do  it  by  yourself.  You’ve  got  to  be 
able  to  get  along  with  people. 

What  are  the  things  people  tend  to  over¬ 
look  in  an  EP  program? 

Understanding  that  chemistry  between 
the  principal  and  the  executive  protec¬ 
tion  detail.  You  need  buy-in  from  the  top, 
support  from  upper  management  and 
communication  from  those  we  protect. 

In  executive  protection  it  is  all  about  the 
details.  There  is  a  common  misnomer 
that  anyone  can  provide  protection.  But 
without  the  proper  training  and  support, 
the  mission  will  be  compromised. 

Programs  can  also  overlook  collecting 
information  on  the  principal’s  various  life- 
locations,  becoming  familiar  with  those 
locations,  the  risks  surrounding  them  and 
the  protective  resources  nearby.  We’ve 
seen  EP  programs  where  the  EP  manager 
didn’t  know  the  locations  of  the  principal’s 
several  houses.  It’s  just  not  possible  to  pro¬ 
tect  a  person  in,  or  extract  him  from,  an 
unknown  location. 

In  a  big  company,  where  executive  protec¬ 
tion  must  interface  with  several  other 
departments,  what  advice  would  you 
give  to  make  those  relationships  work 
smoothly? 

This  is  the  key  to  success:  Being  able 
to  build  strong  relationships  without 
stepping  on  someone’s  turf.  You  need  to 
understand  the  corporate  culture  and 
nurture  that  support  so  that  everyone  is  on 
the  same  page. 

We  need  to  articulate  our  mission 
and  get  buy-in  from  those  who  are  the 
gate  keepers.  By  gate  keepers  I  mean  the 
executive  administrative  assistant.  The 
administrative  assistant  to  the  principal 
plays  a  vital  role  in  your  success.  Upper 
management  needs  to  understand  your 
mission  and  support  your  program. 

Executive  protection  is  based  on  facili¬ 
tation.  You  need  to  not  only  interface  with 


your  travel  department,  but  they  have  to 
understand  your  requirements  and  sup¬ 
port  those  abrupt  changes  in  schedules.  If 
your  corporation  is  supported  by  Flight 
Operations,  if  the  executive  travels  with  a 
private  jet  for  instance,  there  should  be  a 
close  relationship  established  so  that  you 
work  in  harmony  to  get  the  job  done. 

I  am  a  firm  believer  that  we  need 
to  explain  the  role  of  executive  protec¬ 
tion.  Don’t  work  in  a  vacuum  and  treat 
everyone  with  respect.  If  you  explain  your 
concerns,  your  mission  folks  will  appreci¬ 
ate  the  openness. 

Sometimes  executive  drivers  are  orga¬ 
nizationally  part  of  a  transportation  or 
facilities  department  that  is  not  specifically 
focused  on  executives.  We  have  found  that 
EP  programs  can  coordinate  activities 
and  information  exchange  much  better 
when  they  move  their  executive  driving 
programs  into  the  EP  organization.  Closer 
integration  leads  to  better  protection  with 
a  smaller  chance  of  letting  a  key  detail  slip 
through  the  cracks. 

How  might  current  events  have  an  effect 
on  executive  protection  in  companies 
around  the  country?  The  corporate 
bailouts  and  the  Madoff  scandal,  as  two 
examples,  have  led  to  an  intense  amount 
of  negative  sentiment  toward  business. 
This  is  a  very  challenging  question.  I 


believe  that  executive  protection  should 
be  elevated  to  a  high  concern  based 
on  present  conditions.  Name  any  U.S. 
company  that  has  not  been  impacted  by 
this  economic  downturn:  From  layoffs  to 
terminations  to  bankruptcy,  it  is  unprec¬ 
edented.  This  is  not  the  time  to  downplay 
the  importance  of  protection  but  to  sup¬ 
port  the  protective  effort. 

I  go  back  to  the  risk  assessment  model: 
Not  a  day  goes  by  that  the  media  doesn’t 
zero  in  on  top  executives  and  the  loss  of 
confidence  in  the  market.  The  big  three 
automotive  companies  testifying  before 
congress  received  a  lot  of  attention.  The 
executives  were  lambasted  for  riding  into 
town  on  the  corporate  jets.  There  is  anger 
among  the  populace  about  executive 
compensation.  Employees  are  being  termi¬ 
nated  or  their  company  has  gone  bankrupt 
because  of  the  economic  impact.  To  make 
matters  more  dire,  the  Madoff  scandal  has 
really  galvanized  the  Web  and  the  media. 

It  is  all  about  corporate  greed. 

Those  CSOs  responsible  for  the  protec¬ 
tion  of  the  corporations’  leading  assets 
should  be  proactive  in  their  approach  to 
these  challenging  times.  This  is  not  the 
time  to  worry  about  the  PR  side  of  the 
company.  It  is  time  to  assess  the  vulner¬ 
ability  of  their  principals. 

I  believe  that  a  professional  executive 
protection  program  will  offer  a  level  of 


28  www.csoonline.com  February  2009 


Photography  by  Christopher  Hartlove 


EXECUTIVE  PROTECTION 


protection  that  can  be  seamless  and  effec¬ 
tive.  We  can  lower  the  protective  profile  by 
engaging  in  a  countersurveillance  effort 
that  will  allow  us  to  blend  in  and  be  capa¬ 
ble  of  identifying  a  potential  adversary 
and  act  accordingly.  The  fundamentals 
will  give  you  a  great  return.  Itineraries  will 
be  carefully  orchestrated,  and  a  low-key 
professional  approach  will  be  seamless  to 
those  around  the  CEO. 

Advances  will  be  a  priority,  as  they 
should  be,  and  public  spaces  will  be  secure 
within  reason. 

The  cost  of  EP  is  always  justifiable 
when  the  risk  is  there.  The  cost  of  losing 
an  executive  through  an  attack— or  even 
an  accident— is  almost  certain  to  greatly 
exceed  the  cost  of  protecting  the  executive 
in  the  first  place.  The  cost  of  losing,  or  even 
nearly  losing,  an  executive  when  he  or 
she  could  have  been  kept  safe  is  huge.  Just 
imagine  the  loss  in  terms  of  organizational 
disruption,  morale,  fear,  corporate  image, 
investor  confidence  and  other  factors.  It’s 
also  important  to  remember  that  EP  actu¬ 
ally  increases  an  executive’s  productivity 
by  facilitating  safe,  fast  movements  from 


President-elect  Barack  Obama  has 
already  received  lots  of  threats.  What 
new  challenges  will  his  protective  force 
face  with  his  installment? 

I  believe  that  the  expertise  and  level  of 
security  provided  by  the  men  and  women 
of  the  United  States  Secret  Service  will  be 
up  for  the  challenge.  They  have  decades  of 
experience  and  have  met  other  challenges 
head  on.  They  have  had  the  opportunity 
to  provide  protective  coverage  and  intel¬ 
ligence  when  Mr.  Obama  was  running 
for  the  office  of  President  of  the  U.S.  The 
planning  and  logistics  of  protecting  the 
44th  President  of  the  U.S.  and  his  family 
will  be  monumental  and  they  will  rise  to 
the  occasion. 

The  issue  of  Obama’s  BlackBerry  was 
controversial.  He  has  been  urged  not  to 
use  it  while  in  office  because  of  the  risks 
associated  with  it.  These  days,  many 
executives  carry  GPS-enabled  phones.  Do 
these  pose  challenges? 

We  are  concerned  about  the  loss  of  confi¬ 
dential  information  or  real-time  data  for 
those  executives  who  utilize  PDAs  and 


enact  protective  measures  as  appropriate. 

Any  other  tech  advances  in  recent  years 
that  have  required  new  thinking  or  new 
precautions? 

The  World  Wide  Web  is  a  concern.  The 
ability  to  utilize  Google  Earth,  which  can 
give  an  adversary  the  ability  to  download 
the  principal’s  address  and  see  the  office, 
the  home  or  the  golf  course  they  operate 
in.  The  ability  to  place  a  device  on  the 
principal’s  car  or  his  family  to  track  their 
exact  location  undetected.  The  sophistica¬ 
tion  of  listening  devices  that  can  be  planted 
undetected  in  an  office  or  conference  room 
including  the  home.  These  are  all  new 
concerns  in  our  field. 

What  are  students  in  executive  protec¬ 
tion  training  programs  learning  now  that 
might  be  new? 

Less  emphasis  on  the  gun  and  more  on 
planning  and  intelligence  is  the  future  of 
executive  protection.  The  opportunity  to 
utilize  countersurveillance  to  “watch  the 
watchers”  and  being  able  to  blend  in  and 
support  the  protective  team.  The  ability  to 


“Less  emphasis  on  the  gun  and 

more  on  planning  and  intelligence  is 
the  future  of  executive  protection.” 


point  to  point.  So,  in  good  times  and  bad, 
executive  protection  earns  its  keep. 

On  a  global  level,  the  Benazir  Bhutto 
assassination  occurred  a  little  over  a  year 
ago.  What  went  wrong  there? 

The  Benazir  Bhutto  assassination,  in  my 
opinion,  was  not  a  question  of  would  the 
assassination  happen,  it  was  when  it  would 
happen.  Historically,  82  percent  of  assas¬ 
sinations  and  attempts  occur  in  or  around 
an  automobile.  Her  arrival  at  the  site  where 
she  would  give  her  last  speech  to  her  sup¬ 
porters  was  uncontrolled  and  chaotic.  Her 
departure  was  even  less  secure  and  proved 
to  be  deadly  to  her  and  those  around  her 
motorcade.  This  supports  our  premise  that 
planning  and  training  are  vital  for  the  cor¬ 
rect  approach  to  executive  protection. 


mobile  phones.  It  is  our  job  to  make  sure 
the  devices  are  not  left  behind  or  that  confi¬ 
dential  information  is  not  being  overheard 
by  a  third  party.  These  are  new  challenges 
that  need  to  be  part  of  the  planning  process. 

As  always,  it’s  a  challenge  to  find  the 
right  balance  between  security  that  is 
keeping  the  executive  safe,  and  productiv¬ 
ity,  which  is  letting  the  executive  be  an 
executive.  If  a  PDA  falls  into  the  wrong 
hands,  the  information  loss  could  create 
some  risks.  On  the  other  hand,  if  a  device 
is  secured  so  completely  that  the  executive 
can’t  use  it,  or  loses  a  lot  of  time  getting 
it  to  work,  then  security  is  hobbling  the 
protectee  too  much. 

At  the  very  least,  the  EP  program 
should  be  close  enough  to  the  principal 
that  it  will  find  out  right  away  if  he  loses 
his  PDA  and  then  change  travel  plans  or 


use  technology  to  your  advantage  and  har¬ 
ness  the  energy  to  be  in  front  of  the  curve 
so  that  you  are  proactive  and  not  reactive. 

We  are  stressing  the  idea  of  putting 
the  protectee  under  a  24-hour  protective 
umbrella.  That  does  not  mean  the  pro¬ 
tectee  is  accompanied  by  an  EP  special¬ 
ist  at  all  times.  Instead,  it  means  the  EP 
program  is,  at  all  times,  doing  two  things: 
The  first  is  monitoring  the  rise  and  fall  of 
the  risk  level  that  the  principal  faces.  The 
second  is  providing  the  level  of  protection 
appropriate  to  the  risk.  That  may  mean  in- 
person  protection,  or  it  may  mean  simply 
being  on-call  and  prepared  to  respond  in 
an  optimal  fashion  if  needed. 

The  key  is  to  view  the  principal  as  being 
under  a  protective  umbrella  at  all  times, 
where  the  degree  of  protection  varies 
according  to  the  risk.  ■ 


February  2009  www.csoonline.com  2® 


[  undercover] 

By  Anonymous 


The  Company  that  Did 
Everything  Wrong 

A  comical,  yet  sad  visit  to  one  company  that  had  suffered  a  data  breach  (Part  1) 


The  plane  landed  late  afternoon  at 
a  small  airport  in  California  that 
looked  like  it  could  have  been  a 
scene  from  a  1960s  movie.  My 
team  and  I  walked  down  the 
metal  stairs  (no  Jetway  at  this  airport)  and 
across  the  tarmac  to  the  one-and-only  bag¬ 
gage  claim  carousel. 

After  gathering  our  luggage,  we  got  into 
our  rented  cars  and  headed  to  the  client  site, 
where  the  CISO  would  be  waiting  for  us. 

We  arrived  shortly 
before  5  p.m.,  got  our 
badges  at  the  security  desk 
and  our  contact  came  out  to 
escort  us  inside.  “Michael” 
is  the  CISO  at  “Client  X” 
and  the  stress  of  the  last 
few  days  has  worn  heav¬ 
ily  on  him.  He  looked  like 
he  hadn’t  been  home  in  a 
couple  of  days.  His  clothes 
were  badly  wrinkled,  his 
face  sported  a  two-day-old 
beard  and  his  eyes  were 
red.  He  escorted  us  into  his 
office  and  updated  us  on 
the  situation. 

“Two  days  ago,”  he 
said,  “a  number  of  people 
at  the  company,  including 
corporate  executives,  their 
secretaries,  HR  personnel  and  others,  were 
the  victims  of  a  well-orchestrated,  well- 
researched  spear  phishing  attack.  The  e-mail 
contained  a  message  talking  about  a  very 
specific  program  where  Client  X  had  just 
won  a  bid  with  the  government.  At  the  end 
of  the  message  was  a  link  that  purported  to 
be  on  our  internal  network,  though  it  wasn’t. 
It  linked  to  a  site  outside  the  company.  Most 
of  the  recipients  did  not  open  the  e-mail 


because  they  said  it  had  a  strange  feel,  but 
unfortunately  a  few  of  them  did.  Of  those 
who  opened  it,  most  clicked  the  attached  link. 
Unfortunately,  the  information  security  and 
information  technology  functions  here  are 
separate  and  report  up  two  different  chains 
of  command.  Days  passed  and  no  one  was 
aware  of  what  was  happening.  But  then  I  got 
a  phone  call  telling  me  that  we  were  under  a 
full-scale  attack.” 

I  asked:  “What  kind  of  attack  are  you 


facing  and  how  do  you  know?” 

In  fact,  Michael  said,  his  team  at  first  had 
no  clue  as  to  what  was  afoot.  They  lacked 
the  equipment  to  detect  a  breach  and,  even 
if  they  did,  lacked  the  human  resources  to 
monitor  such  equipment.  He  told  us  his 
staff  consists  of  one  full-time  employee  and 
one  half-time  assistant  who  is  shared  with 
the  help  desk.  The  company  was  informed 
of  the  breach  by  a  government  agency  that 


was  able  to  watch  the  contents  of  one  of 
the  company’s  hard  drives  fly  across  an 
Internet  connection  that  the  agency  was 
monitoring. 

“Trust  me,  that  was  a  phone  call  I  wish 
I  had  never  received,”  Michael  said.  “The 
officer  couldn’t  say  much  because  the  inves¬ 
tigation  is  ongoing  and  because  I  am  only 
cleared  to  secret.  He  said  enough  to  get  us 
very,  very  worried.” 

What  did  they  say?  I  asked. 

Michael:  “They  said  we 
were  hacked  by  a  group 
sponsored  by  a  rogue  state. 
They  targeted  many  differ¬ 
ent  government  contrac¬ 
tors  and  saw  the  contents 
of  one  of  our  secretary’s 
computers  fly  past  their 
monitoring  station.  It  was 
only  when  I  got  this  call 
that  I  started  putting  two 
and  two  together.  We  went 
to  this  secretary  and  asked 
if  she  opened  any  e-mail 
attachments  recently.  She 
said  not  recently,  but  the 
week  before,  she  clicked  a 
link  in  an  e-mail,  but  the 
document  that  she  was 
expecting  didn’t  open.  So 
she  clicked  a  couple  more 
times.  Finally  she  gave  up  and  called  the 
help  desk.  This  happened  last  week.” 

So  the  intruders  had  been  in  the  com¬ 
pany’s  network  for  at  least  a  week.  I  asked 
what  information  the  secretary  had  on  her 
local  hard  drive  and,  more  importantly, 
what  information  she  had  access  to. 

She  had  access  to  just  about  everything 
on  the  internal  network,  Michael  said. 
And  since  the  company  had  no  network 


30  www.csoonline.com  February  2009 


Photo  by  iStockphoto.com 


wr  Reference 

’f  priority  code  n 
magazine 

and  your 

registration  is  free! 
L  ($295  value)  A 


CSO  Executive  Seminar  Series  on 

Identity  and  Access 
Management 

April  7,  2009  |  Dallas, Texas 


www.CSOonline.com/idm-tx09 


Session  topics  to  include: 

•  Social  engineering  and  the  human  component: 
What  your  employees  need  to  know  and  need 
to  do  to  protect  their  identity  and  prevent 
unauthorized  access. 


•  Passwords:  Are  they  obsolete?  Are  they  enough?  m 

How  to  develop  and  enforce  an  effective  [I 

password  policy.  II 

•Technology  roundup  panel  discussion:  What  are  wKypi 

the  latest  technologies  being  brought  to  bear  in 
the  battle  to  protect  identity  and  control  access? 

•  Legal  requirements  associated  with  identity 
management  and  access  control. 

•  Practice  and  policy  development/enforcement. 

For  additional  information  contact: 
800-366-0246  or  executiveprograms@cxo.com 


>>  UNDERCOVER 


monitoring  in  place,  nothing  was  prevent¬ 
ing  outsiders  from  monitoring  network 
connections. 

“What  does  your  network  topology  look 
like?”  I  asked.  “What  kinds  of  equipment 
do  you  have  in  place  and  where?” 

Michael:  “It  doesn’t  look  good.  We  are 
a  large,  geographically  dispersed  organi¬ 
zation.  We  have  about  10,000  users  in  127 
locations,  with  about  50  separate  [access 
points]  to  the  Internet.  The  organization  is 
busy  buying  other  companies  like  there’s  no 
tomorrow  and,  with  each  new  acquisition, 
our  security  posture  gets  worse  and  worse. 
For  the  most  part,  each  one  of  the  acquired 
companies  is  an  independent  subsidiary 
and  security  varies  wildly  between  them.” 

He  said  they  had  tried  over  the  past 
year  to  start  integrating  them  into  distinct 
business  groups,  but  the  IT  vision  of  that 
integration  was  a  security  nightmare.  They 
set  up  network  connections  between  all  the 
units  to  facilitate  communication  and  to  try 
to  consolidate  some  of  the  e-mail  and  time 
sheet  programs.  But  these  connections  had 
been  unfiltered  and  unmonitored.  Data 
flowed  unrestricted  between  all  business 
units.  There  were  no  security  enclaves,  no 
defense-in-depth,  nothing.  The  topology 
was  a  hacker’s  dream. 

“What  about  firewall  logs?  Router 
logs?  Server  event  logs?  How  long  are  they 
stored?”  I  asked. 

Michael:  “What  logs?  Remember  that 
each  business  unit  is  different,  but  here  at 
corporate  we  don’t  have  logs.  In  fact,  logging 
was  turned  off  by  the  help  desk  because 
they  got  tired  of  responding  to  false  alarms. 
Help  desk  reports  to  the  IT  director,  not  to 
security.  You’ve  heard  the  Jesper  Johansson 
quote  about  computer  network  security: 
‘Hard  and  crunchy  on  the  outside  and  soft 
and  chewy  on  the  inside?’  Well,  we’re  not 
even  hard  and  crunchy  on  the  outside.  Our 
perimeter  has  holes  big  enough  that  you 
could  drive  a  truck  through.” 

My  team  had  its  work  cut  out  for  them. 
We  asked  Michael  to  set  up  a  war  room  for 
us,  and  we  handed  him  a  list  of  things  we 
were  going  to  need. 

The  makeup  of  our  team  changes 
depending  on  the  needs  of  each  specific 
engagement,  but  on  this  project,  we  had 
four  team  members  on-site  and  an  addi¬ 
tional  two  available  off-site:  Bob,  our  senior 
forensics  investigator;  Victor,  a  seasoned 


systems  admin;  Sam,  a  junior  resource;  and 
myself,  the  PM  and  networking  resource. 
The  additional  off-site  personnel  are  Jerry, 
the  best  Python  and  shell  scripter  I  know, 
and  Dave,  an  independent  resource  who 
specializes  in  reverse-engineering  malware. 
With  these  six  assets,  the  work  began. 

Bob  began  with  the  computer  that  had 
originally  been  infected  with  the  e-mail 
attachment.  All  of  our  data  breach  engage¬ 


ments  include  a  forensics  component,  even 
if  the  client  is  convinced  that  they  are  not 
going  to  prosecute. 

Aside  from  the  fact  that  NIST  (National 
Institute  of  Standards)  states  that  making 
forensics  copies  is  a  best  practice  after  a 
computer  incident,  having  a  pristine  copy 
of  the  compromised  computer  has  proven 
very  helpful  in  the  past.  While  Bob  began 
the  forensics  copy  of  the  hard  drive,  the  rest 
of  the  team  began  their  work:  Victor  asked 
to  be  escorted  to  the  server  room  where 
he  would  begin  poring  through  whatever 
log  files  the  servers  had;  Sam  began  the 
process  of  taking  meticulous  and  copious 
notes  regarding  all  of  the  team’s  activities; 
and  I  sat  down  with  Michael  in  his  office  to 
gather  more  information. 

We  find  that  there  are  often  nuances  and 
subtleties  within  an  organization  that  can 
sometimes  help  with  the  investigation,  and 
this  case  was  no  exception.  A  few  hours 
into  the  investigation,  at  about  9  p.m.,  we 
had  already  started  making  progress  and  I 
had  some  news  to  share  with  Michael. 

The  good  news  was  that  the  forensics 
copy  of  the  hard  drive  was  finishing  but, 
while  this  process  was  underway,  Bob  had 
been  looking  at  the  Exchange  server  with 
Victor.  Bob  found  the  e-mail  that  contained 
the  link  and  had  already  resolved  the  IP 
address  to  a  site  in  Spain.  Using  one  of  our 
hardened  Linux  computers  and  connect¬ 
ing  out  through  a  VPN  tunnel  to  one  of  our 
remote  computers  in  another  country,  Bob 
examined  the  questionable  site. 

The  preliminary  results  showed  that  the 
site  was  a  legitimate  site  that  had  been  com¬ 


promised.  But  because  our  test  platform 
had  not  been  compromised,  we  deduced 
that  there  must  be  another  part  of  the  site 
that  the  attacker  used  as  a  staging  area. 

The  bad  news  came  from  Victor. 

As  we  had  been  informed,  logging  had 
indeed  been  turned  off  on  all  the  servers. 
Even  the  hidden  logging  that  Windows 
does  had  been  disabled.  The  help  desk 
personnel  certainly  knew  what  they  were 


doing  because  all  logging  on  the  servers 
had  been  disabled.  Worse  was  the  fact  that 
logging  on  routers  and  firewalls  had  also 
been  disabled. 

The  client  was  being  its  own  worst 
enemy,  but  at  least  there  were  no  more  of 
those  annoying  IDS  alarms  to  investigate. 
The  lessons  up  to  this  point  were  clear: 

■  The  company  had  no  security  policy 
whatsoever;  no  guidelines  on  the  right 
and  wrong  ways  to  handle  e-mail,  no 
access  control  procedures  and  no 
accountability. 

■  By  shutting  off  all  the  logs,  the  help 
desk  violated  one  of  the  basic  rules  of 
security:  to  keep  and  monitor  detailed 
logs  of  activity  inside  and  outside  the 
network— learning  along  the  way  to 
tell  the  difference  between  normal 
network  noise  and  activity  outside  the 
norm  that  could  be  malicious. 

■  The  company  allowed  data  to  flow 
unrestricted  between  business  units 
when  it  should  have  been  segmenting 
the  network  to  better  protect  propri¬ 
etary  information. 

■  The  company  dove  into  an  acquisition 
spree  without  putting  a  review  in  place 
to  find  security  holes  and  tighten  them. 

In  this  environment  and  with  little  man¬ 
power,  Michael  was  way  in  over  his  head. 
[Part  2  will  appear  in  a  future  issue.]  ■ 


The  author  leads  a  Computer  Incident  Response 
team.  He  may  be  reached  at  the  pseudony¬ 
mous  eamonmadreen@gmail.com  or 
eamonmadreen@hushmail.com 


The  client  was  being  its  own  worst  enemy,  but 
at  least  there  were  no  more  of  those 
annoying  IDS  alarms  to  investigate. 


32  www.csoonline.com  February  2009 


RSACONFERENCE 

WHERE  THE  WORLD  TALKS  SECURITY 


Do  more  than 
keep  pace. 


In  a  security  environment  where  every 
day  brings  new  challenges,  staying  ahead 
isn’t  just  an  option,  its  mandatory.  As  the 
information  security  event  of  the  year, 

RSA®  Conference  2009  is  your  opportunity 
to  engage  with  the  greatest  minds  in 
technology.  You'll  focus  on  critical  issues 
and  formulate  strategies  to  create 
solutions  that  will  influence  the  industry 
now  and  in  the  future.  And  you  can  do 
it  all  at  RSA  Conference  2009. 


•  Learn  the  latest  trends  at 
over  240  targeted  sessions 

•  Discover  practical  solutions 
from  500+  speakers 

•  Get  the  tools  for  success 
from  over  350  exhibitors 


REGISTER 


APRIL  20-24,  2009  |  MOSCONE  CENTER  |  SAN  FRANCISCO 

WWW.RSACONFERENCE.COM/2009/US 

ENTER  PRIORITY  CODE:  CS019 


[  INDUSTRY  VIEW] 

By  Simone  Seth,  Information  Security  Forum 


Outsourcing/Offshoring: 
An  Information  Security 
Practitioner’s  View 


The  four  stages  of  the  outsourcing  lifecycle 


As  organizations  pursue  cost 
savings  and  operational 
efficiencies  with  their  exist¬ 
ing  business  processes,  they 
often  turn  to  service  provid¬ 
ers  either  in  their  home  countries  or  abroad 
to  reap  additional  cost  savings  associated 
with  factors  such  as  lower  wages,  lower 
operating  costs  and  workers  with  experi¬ 
ence  who  may  not  be  available  in-house. 
Alternatively,  some  organizations  choose  to 
move  their  operations  to  offshore  locations 
but  retain  control  over  their  infrastructure, 
staff  and  processes.  In  either  case,  organi¬ 
zations  need  to  manage  the  risks  associated 
with  safeguarding  their  assets  and  their 
information  while  complying  with  the  vari¬ 
ous  regulations  and  laws  that  govern  their 
industry. 

All  business  initiatives  have  an  associ¬ 
ated  degree  of  risk.  The  risk  associated  with 
safeguarding  the  confidentiality,  integrity 
and  availability  of  information  assets  is  a 
component  of  the  overall  business  risk  pic¬ 
ture  for  all  organizations  worldwide.  Ensur¬ 
ing  that  people,  processes  and  technology 
are  properly  managed  to  address  this  risk 
is  a  challenge  faced  by  information  security 
professionals.  There  are,  however,  some 
unique  risks  associated  with  outsourcing 
that  need  to  be  addressed  by  organizational 
stakeholders  to  avoid  pitfalls.  These  risks 
include: 

■  Political  and  country  risk 
■  Cultural  risk 
■  Contractual  risk 
■  Operations  risk 
■  Compliance  risk 
■  Business  continuity  risk 
Organizations  need  to  develop  a  strat¬ 
egy  for  understanding  and  managing 
these  risks,  which  are  dynamic  and  fluid. 


There  is  an  inverse  relationship  between 
the  degree  of  control  and  ownership  and 
the  amount  of  risk;  the  risk  associated 
with  outsourcing  increases  as  the  degree 
of  ownership  and  control  over  business 
processes  decreases.  That  said,  risks  can 
be  effectively  managed  with  governance 
programs  and  with  program  management 
offices  that  provide  oversight  and  manage¬ 
ment  of  all  elements  of  the  outsourcing 


initiative.  Whether  outsourcing  a  specific 
function  or  a  range  of  operations,  attention 
must  be  paid  to  ensure  that  all  aspects  of 
the  decision  are  analyzed  and  documented. 
Various  outsourcing  lifecycles  to  manage 
outsourcing  initiatives  have  emerged  as 
organizations  increasingly  participate  in 
outsourcing  activities.  Nearly  all  of  them 
share  a  common  theme:  Information  secu¬ 
rity  controls  need  to  be  part  of  any  and  all 
outsourcing  activities. 

Information  security  professionals  often 


speak  of  an  “information  security  outsourc¬ 
ing  lifecycle.”  This  approach  to  outsourcing, 
that  is,  examining  the  lifecycle  from  an 
information  security  practitioner’s  perspec¬ 
tive,  typically  is  not  adopted  by  most  orga¬ 
nizations,  as  the  decision  to  outsource  is  a 
business  decision  driven  by  a  focus  on  cost 
savings,  not  necessarily  risk  management. 
Instead,  a  more  effective  approach  to  ensure 
that  information  security  risk  is  addressed 
is  one  where  information  security  practi¬ 
tioners  integrate  their  requirements  and 
recommendations  into  the  “business”  out¬ 
sourcing  lifecycle  process. 

The  likelihood  of  an  organization  fol¬ 
lowing  a  methodical  and  logical  process  to 
manage  its  outsourcing/offshoring  efforts 
depends  on  the  organization’s  maturity  in 
this  space.  Most  organizations  do  not  have 
a  formal,  documented  process  for  manag¬ 
ing  outsourcing/offshoring.  And  generally, 
information  security  professionals  are  not 
engaged,  if  they  are  engaged  at  all,  until 
well  into  the  process. 

In  an  effort  to  manage  the  extremely  high 
cost  to  organizations  associated  with  retro¬ 
fitting  information  security  controls  into  an 
outsourced  or  offshored  agreement,  organi¬ 
zations  are  increasingly  searching  for  best 
practices  and  adopting  an  outsourcing/off¬ 
shoring  lifecycle  that  is  a  series  of  methodi¬ 
cal  steps  which,  if  followed,  can  streamline 
the  process  of  engaging  a  third  party  to  pro¬ 
vide  services  for  an  organization. 

The  outsourcing  lifecycle  has  four 
stages,  each  with  its  own  series  of  actions. 

Preparation 

The  journey  begins  with  strategy  develop¬ 
ment.  During  this  step,  senior  and  busi¬ 
ness  management  evaluate  and  determine 
whether  it  may  be  profitable  for  the  orga- 


34  www.csoonline.com  February  2009 


nization  to  outsource,  offshore  outsource 
or  create  an  offshore  captive  center.  The 
business  then  creates  a  strategic  steer¬ 
ing  committee  to  manage  the  exploratory 
initiative,  develop  an  outsourcing  project 
management  office  (PMO)  to  operate  the 
exploratory  initiative  and  determine  which 
business  or  IT  functions  may  be  profitably 
outsourced,  offshore  outsourced  or  man¬ 
aged  by  an  offshore  captive  center. 

Traditionally,  information  security  has 
no  involvement  at  this  stage  of  the  process 
nor  the  next  step  the  organization  takes, 
which  is  the  development  of  the  business 
case.  The  PMO  identifies  all  relevant  stake¬ 
holders,  all  aspects  of  risk  to  be  managed 
if  functions  are  outsourced,  and  performs 
a  detailed  cost  benefit  analysis  to  deter¬ 
mine  what  option  makes  the  most  sense.  In 
addition,  there  needs  to  be  legal  analyses 
of  the  regulatory  compliance  implications 
for  outsourcing,  offshore  outsourcing  and 
offshore  captive  center  operations.  Senior 
management  then  makes  the  final  deci¬ 
sion  about  which  business/IT  functions  to 
outsource,  offshore  outsource  or  develop  a 
captive  center  offshore. 

In  a  mature  organization,  information 
security  begins  to  get  involved  at  the  next 
stage— scope  definition.  Multiple  stake¬ 
holders  participate  in  defining  the  scope  of 
activities  to  be  undertaken.  The  PMO  iden¬ 
tifies  all  processes,  operations  and  tech¬ 
nology  associated  with  the  functions  to  be 
outsourced,  applications  associated  with 
the  functions  to  be  outsourced  and  retained 
processes,  operations,  technology,  applica¬ 
tions,  etc.  Information  security  performs 
risk  assessments  to  address  confidential¬ 
ity,  integrity  and  availability  of  information 
assets  to  be  outsourced. 

Partner  selection  and  negotiation  of 
the  contract  make  up  the  next  step  in  the 
journey— structuring  the  deal.  Multiple 
stakeholders  are  involved  during  this  step, 
which  involves  the  selection  process,  craft¬ 
ing  the  request  for  proposal  (RFP)  to  out¬ 
line  requirements  and  identify  metrics  to 
measure  success.  Legal  then  ensures  all 
relevant  terms  and  conditions  clauses  are 
in  the  contract.  Once  a  provider  is  identi¬ 
fied,  negotiation  happens  and  the  contract 
is  eventually  signed. 

Implementation 

After  the  decision  is  made,  the  organization 


begins  the  transition  of  the  functions  to  be 
delivered  by  the  service  provider.  The  PMO 
plans  and  manages  the  transition  schedule, 
begins  to  transition  the  functions  to  the 
service  provider  and  creates  a  process  to 
do  ongoing  cost  benefit  analysis.  Informa¬ 
tion  security  builds  security  into  processes, 
builds  an  incident  reporting/management 
process  and  builds  a  process  for  ongo¬ 
ing  monitoring  (security  and  compliance). 
Information  security  should  be  heavily 
involved  at  this  stage  of  the  process. 


Operation 

Ongoing  management  and  maintenance 
of  the  outsourced  services  is  performed 
by  several  stakeholders,  although  overall 
coordination  is  done  by  the  PMO,  which 
implements  an  ongoing  cost  benefit  analy¬ 
sis  process,  updates  exiting  processes  and 
operations  to  manage  the  retained  organiza¬ 
tion  and  manages  the  partnership  relation¬ 
ship  thru  meetings  and  reporting  structure. 
Information  security  performs  an  in-depth 
site  audit  of  the  selected  service  provider’s 
security  control  environment,  performs 
annual  (or  more  frequent)  audits  of  the 
service  provider,  implements  an  incident 
reporting/management  process,  imple¬ 
ments  ongoing  monitoring  processes  and 
manages  the  relationship  with  authorities. 

Review 

As  the  contract  draws  to  a  close,  an  organi¬ 
zation  may  choose  to  renew  or  exit  the  con¬ 
tract.  If  the  organization  chooses  to  renew 
the  contract  and  continue  its  relationship 
with  the  service  provider,  the  PMO  must 
evaluate  the  success  of  the  outsourcing 
initiative  (financial,  operational,  regula¬ 
tory,  etc.);  legal  must  renegotiate  terms 
as  needed;  and  senior  management  must 
determine  whether  to  renew  the  contract. 

If  an  organization  decides  to  terminate 
the  relationship  with  the  service  provider 
and  reacquire  the  functions,  it  is  necessary 
to  manage  the  transition  process.  The  PMO 
must  plan  the  transition  process;  legal  must 
validate  IP  ownership  as  defined  in  the  con¬ 


tract;  and  information  security  must  per¬ 
form  a  risk  analysis  of  the  functions  and 
processes  to  be  reintegrated  into  the  orga¬ 
nization  and  audit  the  service  provider  to 
ensure  all  data  is  retrieved. 

Conclusion 

Security  has  a  significant  contribution  to 
make  to  this  outsourcing/offshoring  lifecy¬ 
cle:  performing  risk  assessments  to  address 
confidentiality,  integrity  and  availability  of 
information  assets  to  be  outsourced;  and 


analyzing  the  security  controls  of  the  short 
list  of  service  providers  and  performing 
in-depth  site  audits  of  the  selected  service 
provider’s  security  control  environment. 
On  an  ongoing  basis,  security  practitioners 
need  to  create  processes  for  incident  report¬ 
ing,  management  and  ongoing  monitoring 
for  security  and  compliance  purposes. 

Failure  to  involve  security  at  various 
points  in  the  outsourcing/offshoring  lifecy¬ 
cle  may  result  in  a  negative  outcome,  such 
as:  higher  costs  for  retroactive  controls 
implementation;  insufficient  and  nonem- 
pirieal  metrics  and  performance  standards; 
dispute  over  intellectual  property  owner¬ 
ship;  not  knowing  that  the  service  provider 
had  subcontracted  the  function  to  another 
provider;  difficulty  managing  cross-border 
data  flow  issues;  and  inadequate  security  of 
intellectual  property. 

Organizations  need  to  be  prudent  in 
their  pursuit  of  cost  savings  and  efficiencies. 
The  strategies  that  maximize  profit  must 
include  risk  management  and  compliance 
components.  Senior  management  needs  to 
ensure  that  the  potential  benefits  associ¬ 
ated  with  outsourcing  are  balanced  with 
the  costs  associated  with  risk  management. 
Including  security  and  compliance  consid¬ 
erations  into  the  outsourcing  lifecycle  will 
ensure  that  the  pitfalls  outlined  above  are 
avoided.  ■ 


Simone  Seth  is  a  director  at  Pricewater- 
houseCoopers,  serving  as  an  industry  analyst 
for  the  Information  Security  Forum  (ISF). 


Most  organizations  do  not  have  a 
formal,  documented  process  for 

managing  outsourcing/off-snoring. 


February  2009  www.csoonline.com  35 


[  debriefing] 

Just  the  Facts 


Watching  the  Detectives 


1.  “All  we  want  are  the  facts, 
ma’am,”  was  a  catchphrase  on: 

a.  Hawaii  Five-0 

b.  ADAM-12 

c.  Dragnet 

d. The  Mod  Squad 

2.  Which  of  the  following 
produced  the  most  new 
seasons  of  shows? 

a.  TJ  Hooker 

b.  21  Jump  Street 

c.  Cagney  and  Lacey 

d.  Dragnet 

3.  Which  actor’s  two  shows 
combined  to  produce  the  higher 
total  number  of  TV  seasons? 


5.  A  social  game  involves 
taking  a  drink  every  time  he 
says,  “Just  one  more  thing...” 

a.  Marshall  McCloud 

b.  Texas  Ranger  Walker 

c.  Detective  Columbo 

d.  Detective  Drebin 

6.  Which  debuted  first? 

a.  Baretta 

b.  Charlie’s  Angels 

c.  Police  Woman 

d.  Law&  Order 

7.  The  arch-enemy  on 
Hawaii  Five-0  was: 

a.  Huggy  Bear 

b.  Wo  Fat 


9.  Which  actor  is  now  a  real  (if 
part-time)  police  officer? 

a.  Kent  McCord 

b.  Philip  Michael  Thomas 

c.  Dennis  Franz 

d.  Erik  Estrada 

Bonus  Question:  What  athlete 
occasionally  replaced  Erik  Estrada 
in  CHiPs’  later  seasons,  allegedly 
due  to  contract  disputes? 


uauuar  aarua  Aq 

paAe|d  seaa  qs;3~P!/\i  oasis  J33IJJO  :uo;)sanb  snuog 
a  *6  V  *8  8  'L  3  -9  D  *S  V  ’V  SU0SE3S  a  peil-a  JO  v 
JOJ  J!P3JD  9>|ei  •£  pUOJdS  SEAA  A33E1  pUE  AauSfiP  !(] 
*Z  (uapjEi]  S}3§  1!  ‘Ajjoaa  },uoq)  p  SU9MSNV 


a.  Raymond  Burr  (Perry  Mason  and  Ironside) 

b.  William  Shatner  (Star  Trek  and  TJ  Hooker) 

c.  Robert  Llrich  (SWAT  and  Spenser  for  Hire) 

d.  Andy  Griffith  (Matlock  and  The  Andy  Griffith 
Show) 


c.  Kaos 

d.  Chris  Carter 

8.  Which  actor’s  decision  to 
quit  smoking  provided  his 
show’s  signature  gimmick? 


How’d 
You  Do? 


0-3  Correct:  Analog 
4-6  Correct:  Digital 
7-10  Correct:  High  Def 


4.  The  first  names  of  characters 
Starsky  and  Hutch  were: 

a.  Dave  and  Ken 

b.  Vic  and  Shane 

c.  Sonny  and  Rico 

d. Kermit  andAloysius 


a.  Telly  Savalas 

b.  Robert  Llrich 

c.  Abe  Vigoda 

d.  Michael  Chiklis 


36  www.es  oo  nLbtfaUr 


NEWSLETTER 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Subscribe  today! 

To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2007  CXO  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


Guard  Against  Data  Loss  Like  Your  Life  Depended  On  It 
Or  Your  Stock  Price,  Whichever  Is  More  Important  To  You. 


CA's  acquisition  of  Orchestria  gives  you  even  better  control  over  your  users  and  data. 


A  significant  data  loss  event  can  be  devastating  to  an  organization's  reputation  and  finances. 

CA's  data  and  resource  protection  solutions  help  organizations  apply  the  correct  level  of  security  around  data,  files 
and  applications.  They  reduce  administrative  costs  associated  with  intensive  manual  processes,  provide  proactive 
reporting  that  helps  address  compliance  requirements  and  prevent  data  loss.  These  solutions  also  enable  an  orga¬ 
nization  to  analyze  its  existing  resources  to  find  sensitive  data,  classify  it  appropriately,  and  then  control  access  to 
that  data.  Together  with  CA's  Identity  and  Access  Management  products,  Orchestria's  data  loss  protection  tech¬ 
nology  provides  a  comprehensive  information-centric  security  solution  that  empowers  organizations  to  manage 
access  to  data  and  set  policies  on  how  that  data  can  be  used  based  on  a  user's  identity  and  role. 

To  find  out  more  about  how  you  can  better  protect  your  data  and  resources,  visit  ca.com/drp. 


Copyright  ©  2009  CA.  All  rights  reserved.  All  trademarks,  trade  names,  service  marks  and  logos  referenced  herein  belong  to  their  respective  companies. 


ca 


Transforming 
IT  Management, 


